User Provisioning with SCIM

Enable automatic user provisioning and removal with SCIM

Rian avatar
Written by Rian
Updated over a week ago

You can use SCIM (System for Cross-domain Identity Management) to manage your workspace’s members in Zeplin through an Identity Provider of your choice.


☝️ This feature is currently only available to teams on the Enterprise Plan.

What can you do with SCIM?

When you set up SCIM provisioning, the Enterprise workspace owner or admins will be able to automate critical features of member management in Zeplin.

Inviting a new member into your Zeplin workspace

Provisioning new user access to the Zeplin app in your identity provider will automatically create a user account in Zeplin. This new user will also be invited to your workspace with the role details you’ve already set up through a settings page in Zeplin (see Enabling User Provisioning section below for more information).

Removing members from your Zeplin workspace

If a user leaves your organization, de-provisioning the user from the Zeplin app in your identity provider will automatically trigger an action to remove the user from your workspace in Zeplin.

⚠️ Even though users will lose access to your workspace, they can still use their Zeplin account with their personal workspace and other team workspaces.

Enabling User Provisioning

Zeplin supports the basic user operations from standard SCIM. To begin to use SCIM in your workspace, you will first need to configure the trust between your SCIM client (usually this is your IdP) and Zeplin.

The SCIM implementations in a number of popular IdP providers have been verified to work with Zeplin. See the SCIM-specific notes our IdP guides to help with configuration.

  • Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin of the Workspace.

  • Log in to your IdP as an IdP Administrator.

  • Check out one of the help guides above for IdP-specific settings and actions.

  • Complete the steps below in Zeplin.

Zeplin Workspace Configuration

  • Login to your Enterprise workspace and navigate to “Workspace Settings”, and click the “User Provisioning” tab.

  • Click the “Create SCIM token” button to begin and make a temporary copy of the generated token

⚠️ The SCIM token is displayed only once to protect the security of your account. If you lose it, you can delete an existing token and generate a new one. Don't forget to update your identity provider to use the new token after such an action.

  • Set up the default user role and default access settings for workspace members. These are the settings for any new user added to your workspace by SCIM. Make sure you choose the right options for your team.

☝️ You can enable/disable SCIM provisioning anytime from the Zeplin settings page

⚠️ If you own multiple workspaces in Zeplin, you will need to repeat these steps for each of your workspaces. Each workspace in Zeplin should be managed via a different application in your identity provider.

IdP Configuration

This process depends on your choice of an identity provider. Check out one of the help guides listed above for IdP-specific settings and actions. In general, you will need to:

  • Create a custom application for your Zeplin workspaces in your IdP. If you use an IdP portal, disable the visibility of this app (so users do not attempt to log in using it).

☝️ If you only have one workspace, and will only ever have one workspace, then you can use the same IdP app that you use for SAML authentication. Otherwise, use a custom app per workspace and you not need to configure any SAML parameters.

  • Configure the SCIM integration in the IdP app you are using for SCIM, using:

  • Enable your IdP to trigger User provisioning actions, generally called

    • Create Users

    • Update User Attributes

    • Deactivate Users

⚠️ Currently, Zeplin only support the SCIM /Users endpoint. Depending on your IdP, enabling Group processing will be silently ignored, or may cause your IdP to fail to enable SCIM.

  • Assign the users to this IdP app that you want as members of your Workspace

SCIM processing will begin immediately.

Disabling User Provisioning

You can disable user provisioning by clicking the Settings button at the top of your Workspace Members page and going to the “User provisioning” tab.

  • To temporarily disable SCIM provisioning, uncheck the option box for “Enable user provisioning with SCIM"

  • To permanently disable SCIM provisioning, delete the existing token.

⚠️ Deleting the token will cause SCIM actions to fail authentication in your IdP. You should disable the SCIM configuration in your IdP after this action.

Did this answer your question?