> For the complete documentation index, see [llms.txt](https://help.steeple.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.steeple.com/en/administration/provisioning-scim.md).

# Automatic provisioning of employees (Provisioning / SCIM)

### What is provisioning?

Provisioning is the automatic and continuous synchronization of users from an identity provider to Steeple. Unlike SSO, which only acts at authentication, provisioning keeps data continuously up to date.

#### What is automatically synchronized

* **Identity data** : first name, last name, email
* **Access rights** to communities
* **Role assignment**

#### Protocol

Steeple uses the **SCIM** protocol (System for Cross-domain Identity Management). Communication is **one-way** : from the identity provider to Steeple.

#### Synchronized resources

* Users
* Groups
* User-group memberships

### Important prerequisite

The **SSO must be configured before provisioning**. It is not possible to configure provisioning alone, regardless of the provider.

### Supported providers

* **Azure Active Directory** (Microsoft Entra ID)
* **Okta**

Google Workspace supports only SSO, not SCIM provisioning.

### Group → community mapping

The identity provider's groups do not correspond directly to Steeple communities. An **intermediate association** is required: each group is linked to a pair (community, role), which translates group membership into community access with a specific role.

**Recommendation** : create at least **two groups per community** (contributors and administrators).

### Configure provisioning

Configuration is done from **Administration** > **Integrations** (`/administration/integrations`).

#### Provisioning with Azure Active Directory

1. In Steeple: Administration > Integrations > Install > click "Show" in the Identification section to obtain the**SCIM URL** and the **Bearer Token**
   * The token is a secret: never share it in an unsecured channel (chat, email, public ticket)
2. In Azure: Directory Overview > Provisioning > switch to **Automatic**
3. Paste the URL (Tenant URL) and the Token (Secret Token), test the connection
4. If soft-delete is needed: add an expression mapping `Switch([IsSoftDeleted], , "False", "True", "True", "False")` on the attribute **active**
5. Assign the pre-created groups in "Users and Groups"
6. Start provisioning — **Azure synchronizes every 25 to 40 minutes**
7. In Steeple: assign roles to the linked groups and communities
8. Check that the number of users and groups matches, then enable synchronization

#### Provisioning with Okta

1. In Steeple: Administration > Integrations > Okta SCIM > Install to obtain the**Tenant URL** and the **Secret Token**
   * The token is a secret: never share it in an unsecured channel (chat, email, public ticket)
2. In Okta: General > App Settings > manually enable provisioning > save
3. Provisioning > Integration > configure the SCIM connector:
   * Paste the Tenant URL
   * Unique identifier: **userName**
   * Check only the boxes **Push**
   * Authentication mode: **HTTP Header** with the Secret Token
   * Test then save
4. Provisioning > Settings > To App: enable **Create Users**, **Update User Attributes**, **Deactivate Users**
5. Assign users/groups, configure Push Groups for mapping to communities
6. Enable synchronization in Steeple — **Okta applies changes almost immediately**

### Important warnings

* **Disable or delete a user** on the identity provider side **removes the user from the Steeple organization** and makes their posts invisible
* Only manual intervention from support can reassign posts from a removed user
* Any user absent from the company directory will have **all access removed** by default

### Additional options

* **Automatic sending of invitation emails** to newly created users (optional with SSO, since SSO allows login without an invitation)
* **Manual creation of accounts** outside the company directory (these accounts use classic email/password authentication and must be deleted manually)

### What the assistant can do

The assistant can guide the user to the page **Integrations** via navigate\_to and explain the provisioning concepts. For detailed technical configuration, refer to <https://help.steeple.com/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.steeple.com/en/administration/provisioning-scim.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.