Configure SCIM with SAML SSO

Updated
  • Updated on Sep 15, 2025
  • Published on Jul 29, 2025
  • 2 minute(s) read
  • PT
  • Lianna Churchill
 Prev Next

You can use SCIM alongside SAML to provision and deprovision users instantly.

Who can use this feature

Users on Professional plans and above.

Overview

After setting up SAML SSO in Tulip, you may also want to provision and de-provision users in realtime. Tulip is compatible with the SCIM API, and you can set up this behavior after finishing your SAML SSO setup.

Technical requirements

Head to the SCIM tab under the SAML settings page.

image.png

There, you will see the following fields related to the Tulip application:

  • Tenant URL
  • API Key/Secret (Bearer token authentication)

You will need to add these to the metadata about the Tulip application as a "service provider" within your IdP.

Microsoft Entra ID Specific Setup Instructions

Microsoft is no longer approving updated App Store listings, based on this article.

This is why you may not see a SCIM-compatible Tulip app in your app gallery.

So, follow this guide on creating a new app in Entra ID in the section titled "Connecting provisioning in Entra with 6clicks". This will allow you to properly use Tulip's SCIM integration in Entra ID.

SCIM features

Tulip supports the following real-time updates via the SCIM API:

  • User creation
  • Updates to user's name
  • User deletion / de-provisioning

User creation

Within your IdP, you control which users have access to the Tulip application.

When Tulip becomes registered as a Service Provider, your IdP will use SCIM to provision all users who need access to Tulip. Those users will be created automatically in Tulip with no access to any part of the platform.

After you set up SAML in Tulip, when a user logs in with SAML for the first time, they will be assigned a workspace and role based on your SAML configuration.

Then, when a new user is added to your IdP who should have access to Tulip, they will be immediately provisioned in Tulip with no access to any part of the platform.

Updates to user name

When a user's name is updated in your IdP, or if you modify the order of family name and given name in the SCIM settings, user names will update in real-time in the Tulip platform.

User deletion / deactivation

SCIM uses the term "delete" related to de-provisioning users, but users in Tulip can only be deactivated, not deleted. Tulip expects the "delete user" endpoint to only be used in the case of deprovisioing a users

When the "delete user" endpoint is used for a given user, they will be immediately deactivated in Tulip.