Available for: Enterprise plan
Set up by: Company-level admin
System for Cross-domain Identity Management, also known as SCIM, provides automated provisioning and user management for Miro Enterprise accounts through your Identity Provider (IdP).
⚠️ SAML based SSO must be properly set up and be functional in your Enterprise account before you start configuring automated provisioning. See the guide to configuring SAML SSO.
In this article:
- Supported features
1.1. Supported Attributes
1.2. Planned Features
- Rules under which Miro SCIM operates
- Configuring SCIM
3.1. Enabling SCIM option in Miro
3.2. Configuring your Identity Provider
- Possible Issues and How to Resolve Them
Detailed Miro SCIM schema can be found here.
Miro supports the following provisioning features:
- Push and add new users
New users assigned to Miro application in IdP will be created in your Miro Enterprise account as Enterprise Members. Users that are added to a user group that is synced to a Miro team with the same name will be added to the team as Team members.
- Push user profile updates
For the supported attributes and changes see below.
- Sync and push groups
Sync your IDP groups and their members to the teams in your Miro Enterprise account to automatically manage user membership. Ongoing sync will send specific updates regarding your group's users to the synced Miro team, while a push will overwrite the team's state treating the group as the source of truth (if there were any manual changes by your Company Admins on the Miro end).
- Decouple the Group/Team names
Miro syncs Groups and Teams by name thus they must have the same exact name. However, after the initial sync is created you will be able to give either one or both of them the names that are convenient for you. You can see the example of the decoupling here.
- Remove users from group/team (not the Enterprise account)
Removing a user from a group will remove them from the synced Miro team (during the next Group Push).
- Deactivate users
Deactivating/deleting a user or disabling a user's access to the application in the IDP will deactivate the user in your Miro Enterprise account. Deleting a user from the Enterprise account is not supported by default but you can manually add the functionality using API to have the user completely deleted from the subscription instead of setting them to the Deactivated status.
- Reactivate users
Assigning a user back to the application or reactivating the user profile in the IDP will reactivate them in your Miro Enterprise account if they were previously provisioned and deactivated.
- Update emails (primary identifier)
If you changed your domain name or some end-users require an email update due to changing their name etc, you can push these changes from your user directory to Miro. Both the old and the new email address will receive a notification letting the user know that they are now to use their new email address to log into Miro.
⚠️ Note that the email update must happen in the user’s profile, not in the assignments list.
⚠️ The Primary Parameter / Unique Identifier (it is likely to be marked as userName in the Identity Provider service) is the only value required by Miro and must be in the form of an email.
The attributes listed below are not required and will be accepted by Miro if present (other attributes sent to Miro will be ignored).
SCIM Attribute (Claim)
givenName + " " + familyName;
"value" field has String type in SCIM standard but managerId
Must be a text URL to the image.
All attributes will be displayed in the exported CSV user list that can be downloaded from the Active Users section.
The following features are not supported but are planned to be added in the nearest future:
- Create and delete groups
At the moment all assigned groups must exist in your Miro account as teams before linking.
⚠️ Password changes are not supported and there are no immediate plans to start supporting this change.
Rules under which Miro SCIM operates
- The SCIM-synced changes are primarily applied to newly assigned users. The status of those who are already under your subscription will be supplemented but might not be overwritten in that the changes are applied on the group/team level. For instance:
a) if a user is a member of Team1 on the Miro side and your IDP sends an update to add them to Team2, their status in Team1 remains unaffected.
b) if your IDP sends an update containing changes to User1, other team members are unaffected. As mentioned in Supported Features > Sync and push groups to overwrite the team status and re-sync all users at once initiate a new push.
- All users provisioned under SCIM are assigned the default license of your subscription:
a) For Enterprise subscriptions without Flexible Licensing Program: a Full license if you don't use Day Passes; an Occasional license if you do. If your subscription runs out of licenses the users start getting provisioned under Free Restricted license.
b) For Enterprise subscriptions with Flexible Licensing Program activated: Free or Free Restricted license depending on the default account license.
- To protect the service Miro limits the number of API calls available every 30 seconds:
Request typeLimit level
First Rate Limit Level 1
Third Rate Limit Level 3
Fourth Rate Limit Level 4
Third Rate Limit Level 4
For details on limit levels please see here. If the number of requests exceeds the limit, Miro will return the standard
429 Too many requestserror.
Step 1: Enable SCIM option in Miro
To enable SCIM for your Miro Enterprise account, go to the Settings > Security, enable the SCIM Provisioning feature. There you can get the Base URL and the API Token for configuring your IdP.
Step 2: Configure your Identity Provider
The setup will depend on the Identity Provider you use. Miro supports preconfigured Okta and Azure AD however you can use any Identity Provider of your choice for as long as it allows setting up SCIM.
OKTA - see the setup instruction here.
Azure AD- see the setup instruction here.
Possible Issues and How to Resolve them
1. Users do not get provisioned due to an allowlist error
An example of the error from Okta identity provider
Please make sure that the user's domain address is added to your allowlist in the Security settings.
2. If you authenticate your end-users with one identity solution (IDP1) but would like to enable SCIM via a different one (IDP2), this is possible on two conditions:
- the IDP2 can do API calls with the bearer token.
- both identity providers are in sync (so SCIM-provisioned users exist in the IDP1 as well and therefore are able to authenticate with Miro).
For more information please reach out to Miro Support Team.