Available for: Enterprise plan
Set up by: Company-level admin
System for Cross-domain Identity Management, also known as SCIM, provides automated provisioning and user management for Miro Enterprise accounts through your Identity Provider (IdP).
SAML based SSO must be properly set up and be functional in your Enterprise account before you start configuring automated provisioning. See the guide to configuring SAML SSO.
The following provisioning features are supported (Miro SCIM schema can be found here):
- Push new users
New users assigned to Miro application in IdP will be created in your Miro Enterprise account as Enterprise Members. Users that are added to a user group that is synced to a Miro team with the same name will be added to the team as Team members.
- Push user profile updates
The Unique Primary Parameter (userName) required by Miro must be in the form of an email.
The attributes listed below are not required and will be passed to Miro if present.
Attribute nameSCIM Attribute (Claim)
givenName + " " + familyName;
costCenter Organization organization Division division Department department
"value" field has String type in SCIM standard but managerId internal miro field has type Long. If "value" attribute is not number value we ignore this value
⚠️ - All attributes are displayed in the exported CSV user list that can be downloaded from the Active Users section.
- Push groups
Groups and their members can be pushed to your Miro Enterprise account. Use it to automatically manage user membership in Miro teams or re-sync your Miro account to the group if there were any manual changes by your Company Admins on the Miro end.
- Remove users from group/team
Removing a user from a group will remove them from the Miro team (during the next Group Push)
- Deactivate users
Deactivating a user or disabling a user's access to the application through IdP will deactivate the user in your Miro Enterprise account. The preconfigured Miro applications in Azure and Okta do not support user deletion from the Enterprise account but you can manually add the functionality using API to have the user completely deleted from the subscription instead of setting them to the Deactivated status.
- Reactivate users
User profiles can be reactivated in your Miro Enterprise account.
The following features are not supported:
- Create and delete groups: all assigned groups should exist in your Miro account as teams before linking. Miro SCIM API matches groups and Miro teams by names so the name of the group must be the same as the name of the Miro team where you push the data.
- Update passwords and primary email.
The preconfigured applications in Azure and Okta do not support user deletion from the Enterprise account
- The SCIM changes are primarily applied to newly assigned users. The status of those who are already under your subscription will be supplemented but not overwritten (for instance, if a user is a member of Team1 on the Miro side and your IDP pushes the data to add them to Team2, their status in Team1 remains unaffected). See Features for the supported changes.
- All users provisioned under SCIM are assigned the default license of your subscription:
For Enterprise subscriptions without Flexible Licensing Program: a Full license if you don't use Day Passes; an Occasional license if you do. If your subscription runs out of licenses the users start getting provisioned under Free Restricted license.
For Enterprise subscriptions with Flexible Licensing Program activated: Free or Free Restricted license depending on the default account license.
Step 1: Enable SCIM option in Miro
To enable SCIM for your Miro Enterprise account, go to the Settings > Security, enable the SCIM Provisioning feature. There you can get the Base URL and the API Token for configuring your IdP.
Step 2: Configure your Identity Provider
The setup will depend on the Identity Provider you use. Miro supports preconfigured Okta and Azure AD however you can use any Identity Provider of your choice for as long as it allows setting up SCIM.
OKTA - see the setup instruction here.
Azure AD- see the setup instruction here.
Possible Issues and How to Resolve them
1. Users do not get provisioned due to a allowlist error
Please make sure that the user's domain address is added to your allowlist in the Security settings.
2. If you authenticate your end-users with one identity solution (IDP1) but would like to enable SCIM via a different one (IDP2), this is possible on two conditions:
- the IDP2 can do API calls with the bearer token.
- both identity providers are in sync (so SCIM-provisioned users exist in the IDP1 as well and therefore are able to authenticate with Miro).
For more information please reach out to Miro Support Team.