SCIM provisioning
SCIM (System for Cross-domain Identity Management) 2.0 is an open standard for automating user and group provisioning between identity providers and applications. With SCIM, your identity provider can automatically create, update, and deactivate staff accounts in ClassLark without manual intervention.
Benefits of SCIM
- Automated user provisioning: New staff are automatically created when added to your identity provider
- Automatic updates: Changes to staff details (name, email, role) sync automatically
- Deprovisioning: Staff removed from your identity provider are automatically deactivated
- Group management: Create staff groups in your identity provider and sync them to ClassLark
- Reduced administrative overhead: No need to manually add or remove staff accounts
Before you begin
- SCIM provisioning requires technical setup by your IT staff
- Your identity provider must support SCIM 2.0 (Azure AD, Okta, Google Workspace, OneLogin, etc.)
- Single sign-on (SSO) should be configured first (see SSO documentation)
- Staff and groups managed by SCIM cannot be edited manually. Any changes will need to be completed in your identity provider.
Setting up SCIM
Step 1: Request SCIM credentials
Contact our support team to request SCIM access for your account. We'll provide you with a unique API token that can be used to connect to the SCIM API.
Your API token provides full access to manage users and groups in your account. Store it securely and never share it publicly. If compromised, contact support immediately to revoke and regenerate the token.
Step 2: Configure your identity provider
Configure your identity provider's SCIM application with the following settings:
General settings
- SCIM Base URL: https://api.classlark.com
- Authentication: Bearer Token
- Token: Use the API token provided by support
- SCIM Version: 2.0
User attributes mapping
Map the following attributes from your identity provider to ClassLark:
| Staff attribute | SCIM attribute | Required | Description |
|---|---|---|---|
userName | Yes | Staff email address (must be unique) | |
| First name | name.givenName | Yes | Staff first name |
| Last name | name.familyName | Yes | Staff last name |
| Type | userType | Yes | One of: Staff, Event Manager, Finance Manager, Administrator |
| External ID | externalId | No | Your internal staff identifier |
Map roles in your identity provider based on staff responsibilities. Most staff should be assigned the "Staff" role, with elevated permissions only for those who need them.
Additional fields for staff can also be managed by SCIM
| Staff attribute | SCIM attribute | Description | Example |
|---|---|---|---|
| Subjects | urn:ietf:params:scim:schemas:extension:school-event-planner:2.0:User:subjects | Teaching subjects/areas | "Mathematics, Physics" |
| Default room | urn:ietf:params:scim:schemas:extension:school-event-planner:2.0:User:room | Room number/location | "A113" |
| Default meeting URL | urn:ietf:params:scim:schemas:extension:school-event-planner:2.0:User:meetingUrl | Virtual meeting link | "https://zoom.us/my/teacher" |
Step 3: Configure group provisioning (optional)
If you want to sync staff groups from your identity provider:
- Enable group provisioning in your identity provider's SCIM settings
- Map the following attributes:
- Display Name: Group name
- Members: Group members
Groups in ClassLark can be used to create shared booking slots where multiple staff members share the same time slots.
Step 4: Test the integration
Before enabling automatic provisioning for all staff:
- Create a test user in your identity provider
- Assign them to the ClassLark SCIM application
- Verify the user appears in ClassLark under the Staff section
- Update the test user's details and verify changes sync
- Remove the test user and verify they're deactivated in ClassLark
Step 5: Enable provisioning
Once testing is successful:
- Assign existing staff to the SCIM application in your identity provider
- Enable automatic provisioning
- Monitor the initial sync to ensure all staff are created correctly
Troubleshooting
Users not syncing
- Verify the API token is correct and has not expired
- Check that users are assigned to the SCIM application in your identity provider
- Ensure required fields (email, first name, last name, userType) are mapped
- Check your identity provider's provisioning logs for errors
Duplicate user errors
If you receive duplicate user errors:
- Ensure email addresses are unique across all staff
- Consider using the
externalIdfield to map existing users
Role mapping issues
Ensure the userType field maps exactly to one of:
StaffEvent ManagerFinance ManagerAdministrator
Values are case-sensitive and must match exactly.
Groups not appearing
- Verify group provisioning is enabled in your identity provider
- Check that groups have members assigned
- Ensure the
displayNameattribute is mapped correctly
Disabling SCIM
If you need to disable SCIM provisioning, you can disable SCIM from within your identity provider, and contact our support team to revoke your API token.
Disabling SCIM will not remove existing staff accounts, but will still prevent manual changes to any staff or groups set up by SCIM. To edit these, contact our support team.
Need help?
If you encounter issues setting up SCIM or need assistance with your specific identity provider, contact our support team with:
- your identity provider name and version
- any error messages from provisioning logs
We'll work with you to ensure a smooth integration with your identity provider.