Skip to main content
Enterprise Edition FeatureThis feature requires an Enterprise plan. View plans or contact sales to learn more.
Configure Onyx with SCIM 2.0 to automatically provision and deprovision users and groups from your identity provider. Onyx has been tested with Okta and Microsoft Entra ID (Azure AD). Other SCIM 2.0 providers have not been validated yet. If you need support for a specific provider, reach out on our Slack or Discord channels and we can add it to the roadmap.
SCIM handles provisioning — syncing users and groups into Onyx. You still need a separate authentication method (e.g. OIDC or SAML) for user sign-in.

What SCIM Does

  • User provisioning — Automatically create Onyx accounts when users are assigned in your IdP
  • User deprovisioning — Deactivate Onyx accounts when users are unassigned or suspended
  • Group sync — Push group membership changes from your IdP to Onyx
  • Profile updates — Keep user attributes (name, email) in sync

Generate a SCIM Token

Before configuring your identity provider, generate a SCIM bearer token in Onyx.
1

Navigate to SCIM Settings

In your Onyx instance, go to the Admin PanelPermissionsSCIM.
2

Generate Token

Click Generate SCIM Token. A new bearer token will be created for your IdP to authenticate with.
The token is displayed only once. Copy or download it immediately. Generating a new token will revoke the previous one.
You will need these two values when configuring your identity provider:
FieldValue
SCIM Base URLhttps://YOUR_ONYX_DOMAIN/scim/v2
Bearer TokenThe token generated above

Configure Your Identity Provider

Use the SCIM Base URL and Bearer Token from the previous step when configuring provisioning in your IdP.
https://mintcdn.com/danswer/AyVhIwSdfMMIcs1k/assets/icons/okta.svg?fit=max&auto=format&n=AyVhIwSdfMMIcs1k&q=85&s=05656cbda2d13a6446b45bdbb452c0e8

Okta

Follow Okta’s guide to add SCIM provisioning to your application

Microsoft Entra ID

Follow Microsoft’s guide to configure automatic provisioning
When prompted for connection details, use:
IdP FieldValue
SCIM Base URL / Tenant URLhttps://YOUR_ONYX_DOMAIN/scim/v2
AuthenticationBearer token (HTTP Header)

Verifying the Connection

Once provisioning is configured, the SCIM page in the Onyx Admin Panel will show a Connected status once the IdP has made its first request. You can also check the Users and Groups page to confirm that provisioned users and groups appear correctly.