Available for: Enterprise plan
Set up by: Company-level admin
System for Cross-domain Identity Management, also known as SCIM, provides automated provisioning and user management for Miro Enterprise accounts through your Identity Provider (IdP).
SAML based SSO must be properly set up and be functional in your Enterprise account before you start configuring automated provisioning. See the guide to configuring SAML SSO.
The following provisioning features are supported:
- Push new users
New users assigned to Miro application in IdP will also be created in your Miro Enterprise account as Members.
- Push user profile updates
Any updates to user's first name or last name or display name will also be pushed to their profiles in Miro
- Push groups
Groups and their members can be pushed to your Miro Enterprise account. Use it to automatically manage user membership in Miro teams.
- Remove users from group/team
Removing a user from a group will remove them from the Miro team (during the next Group Push)
- Deactivate users
- Deactivating a user or disabling a user's access to the application through IdP will deactivate the user in your Miro Enterprise account.
- Reactivate users
User profiles can be reactivated in your Miro Enterprise account.
The following features are not supported:
- Create and delete groups: all assigned groups should exist in your Miro account as teams before linking. Miro SCIM API matches groups and Miro teams by names so the name of the group must be the same as the name of the Miro team where you push the data.
- Delete users from the Enterprise account or from Miro.
- Update passwords and primary email.
- The SCIM changes are primarily applied to newly assigned users. The status of those who are already under your subscription will be supplemented but not overwritten (for instance, if a user is a member of Team1 on the Miro side and your IDP pushes the data to add them to Team2, their status in Team1 remains unaffected). See Features for the supported changes.
- All users provisioned under SCIM are assigned the default license of your subscription (a full license if you do not user Day passes, or an occasional license if you do). If your subscription runs out of licenses the users start getting provisioned under the Free Restricted license.
Step 1: Enable SCIM option in Miro
To enable SCIM for your Miro Enterprise account, go to the Settings > Security, enable the SCIM Provisioning feature. There you can get the Base URL and the API Token for configuring your IdP.
Step 2: Configure your Identity Provider
The setup will depend on the Identity Provider you use. Miro supports preconfigured Okta and Azure AD however you can use any Identity Provider of your choice for as long as it allows setting up SCIM.
OKTA - see the setup instruction here.
Azure AD- see the setup instruction here.
Possible Issues and How to Resolve them
1. Users do not get provisioned due to a whitelisting error
Please make sure that the users's domain address is added to your whitelist in the Security settings.
2. If you authenticate your end-users with one identity solution (IDP1) but would like to enable SCIM via a different one (IDP2), this is possible on two conditions:
- the IDP2 can do API calls with the bearer token.
- both identity providers are in sync (so SCIM-provisioned users exist in the IDP1 as well and therefore are able to authenticate with Miro).
For more information please reach out to Miro Support Team.