Skip to main content

SCIM user management

SCIM lets you integrate your identity provider (IdP) with Temporal Cloud to automate user provisioning and access. Once SCIM is configured, changes in your IdP are automatically reflected in Temporal Cloud, including:

  • User creation / onboarding
  • User deletion / offboarding
  • User membership in groups

You can map SCIM groups to Temporal Cloud roles and permissions, so users automatically get the Temporal Cloud access they need based on the groups they belong to.

Supported IdP Vendors

Supported upstream IdP vendors include:

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
  • OneLogin
  • CyberArk
  • JumpCloud
  • PingFederate
  • Any SCIM 2.0-compliant provider

Preparing for SCIM

Before starting your work with SCIM, you'll need to complete this checklist:

  1. Configure SAML SSO.
  2. Identify your organization's IdP administrator, who is responsible for configuring and managing your SCIM integration. Specify their contact details when you reach out to support in the next stage of this process.

After completing these steps, you're ready to submit your support ticket to enable SCIM.

Adding and removing users

When SCIM is enabled for user management, you can still add and remove users outside of SCIM using the Temporal Cloud interface, until you disable user lifecycle management. You can always change a user's or group's Account Role from the Temporal Cloud interface.

Onboarding with SCIM and Okta

  1. Temporal Support enables the SCIM integration on your account. Enabling integration automatically emails a configuration link to your Okta administrator. This authorizes them to set up the integration.
  2. Your Okta administrator opens the supplied link. The link leads to step-by-step instructions for configuring the integration.
  3. Once configured in Okta, Temporal Cloud will begin to receive SCIM messages and automatically onboard and offboard the users and groups configured in Okta.

Some points to note:

  • User and group change events are applied within 10 minutes of them being made in Okta.
  • User lifecycle management with SCIM also allows user roles to be derived from group membership.
  • Once a group has been synced in Temporal Cloud, you can use tcld to assign roles to the group. For instructions, see the User Group Management page.