Automatic employee provisioning (Provisioning / SCIM)

What is provisioning?

Provisioning (provisioning) is the automatic and continuous synchronization of users from an identity provider to Steeple. Unlike SSO, which only acts at authentication, provisioning keeps data continuously up to date.

What is automatically synchronized

• Identity data : first name, last name, email

• Access rights to communities

• Role assignment

Protocol

Steeple uses the protocol SCIM (System for Cross-domain Identity Management). Communication is one-way : from the identity provider to Steeple.

Synchronized resources

• Users

• Groups

• User-group memberships

Important prerequisite

The SSO must be configured before provisioning. It is not possible to configure provisioning alone, regardless of the provider.

Supported providers

• Azure Active Directory (Microsoft Entra ID)

• Okta

Google Workspace supports only SSO, not SCIM provisioning.

Group → community mapping

The identity provider's groups do not directly correspond to Steeple communities. An intermediate association is necessary: each group is linked to a pair (community, role), which translates group membership into community access with a specific role.

Recommendation : create at least two groups per community (contributors and administrators).

Configure provisioning

Configuration is done from Administration > Integrations (/administration/integrations).

Provisioning with Azure Active Directory

1. In Steeple: Administration > Integrations > Install > click "Show" in the Identification section to get theSCIM URL and the Bearer Token

   • The token is a secret: never share it in an unsecured channel (chat, email, public ticket)

2. In Azure: Directory Overview > Provisioning > switch to Automatic

3. Paste the URL (Tenant URL) and the Token (Secret Token), test the connection

4. If soft-delete is needed: add an expression mapping Switch([IsSoftDeleted], , "False", "True", "True", "False") on the attribute active

5. Assign the pre-created groups in "Users and Groups"

6. Start provisioning — Azure synchronizes every 25 to 40 minutes

7. In Steeple: assign roles to the linked groups and communities

8. Check that the number of users and groups matches, then enable synchronization

Provisioning with Okta

1. In Steeple: Administration > Integrations > Okta SCIM > Install to get theTenant URL and the Secret Token

   • The token is a secret: never share it in an unsecured channel (chat, email, public ticket)

2. In Okta: General > App Settings > manually enable provisioning > save

3. Provisioning > Integration > configure the SCIM connector:

   • Paste the Tenant URL

   • Unique identifier: userName

   • Check only the boxes Push

   • Authentication mode: HTTP Header with the Secret Token

   • Test then save

4. Provisioning > Settings > To App: enable Create Users, Update User Attributes, Deactivate Users

5. Assign the users/groups, configure Push Groups for mapping to communities

6. Enable synchronization in Steeple — Okta applies changes almost immediately

Important warnings

• Disabling or deleting a user on the identity provider side removes the user from the Steeple organization and makes their posts invisible

• Only manual intervention by support can reassign the posts of a removed user

• Any user absent from the company directory will have all access removed by default

Additional options

• Automatic sending of invitation emails to newly created users (optional with SSO, since SSO allows login without an invitation)

• Manual creation of accounts outside the company directory (these accounts use standard email/password authentication and must be deleted manually)

What the assistant can do

The assistant can guide the user to the page Integrations via navigate_to and explain the provisioning concepts. For detailed technical configuration, refer to https://help.steeple.com/