Introduction
In this article we will provide information about how to set up SCIM user provisioning between your internal user directory and fynk in no time.
Prerequisites
To establish user provisioning capabilities with fynk, you can use any user directory that supports SCIM, such as Entra ID (Azure AD), Okta, or Google Workspace.
You will need assistance from an internal IT Admin to set up user provisioning. Additionally, a user with the "Admin" or "Owner" role in fynk is required to access the SCIM setup page.
This setup process can be completed by two individuals working together: a fynk account owner or admin and an internal IT admin. Alternatively, it can be done by an internal IT admin who also has a fynk user account with "Admin" or "Owner" role. If the internal IT admin only needs access temporarily for the SSO setup, you can remove their user account afterward.
Any fynk user with an "Admin" or "Owner" role can invite the internal IT admin as a user.
Though it is not strictly necessary, we suggest setting up single-sign-on (SSO) first. This also needs to be done by an internal IT admin with access to fynk. You can find the documentation for SSO here: https://help.fynk.com/en/articles/183167-configuring-sso-in-fynk
How to configure SCIM in fynk
To access SCIM configuration settings within your fynk account, go to the SCIM settings (https://app.fynk.com/account-settings/integrations/scim).
To create a new SCIM integration, click on the [Create] button. You will now see the base url and API token needed to configure SCIM in your user directory.
How to set up SSO with Entra ID (Azure AD)
If you already have an app set up for SSO with fynk, you can use it to also cover SCIM. If you need to set up an app first, please check out our documentation on SSO here: https://help.fynk.com/en/articles/183167-configuring-sso-in-fynk#h_643716a91a
Once you've created the app, you'll need four user groups to reflect the four user roles in fynk. These user groups can be named in any way but the name must contain the following strings:
account-manager
account-editor
account-admin
account-owner
Once you have set up the groups, be sure to:
add the groups to the Entra ID app you want to use for SCIM provisioning.
add all users to their respective role group
NOTE: Once provisioning is activated, users will be synced. This means that all users that are not added to their respective groups will be removed as fynk users. and all users that are in a different group than their reflected role in fynk will have their role changed. This can potentially lead to users being locked out of fynk or of specific content, such as the account settings section.
Next up we need to set up provisioning for the app. To do so, open the app and navigate to [Provisioning]. There, set Provisioning mode to automatic. Now you can copy the URL and Token from fynk to the respective fields in Entra ID:
Afterwards, click on "Test Connection". After the connection was verified, click the save button and expand the "Mappings" Section:
Here, select "Provision Microsoft Entra ID Users and remove all attributes but
userName
active
name.givenName
name.familyName
externalId
Now, hit the [save] button and return back to the provisioning overview. There, just click on [Start provisioning] and the user provisioning will be active.
Frequently asked questions
How can I set up SCIM provisioning with providers other than Entra ID?
We will add more content to this article in the future and probably add Okta and Google workspaces next. If you need help configuring SCIM with another provider or if we are missing your provider, please let us know via Chat or email to our support team.
Can I just use the provisioning without the role assignment?
Unfortunately, this is not possible yet. In this case, all users would be downgraded to "Manager" role.
Can I also add team memberships via provisioning?
As of now, team management via SCIM is not implemented. please let us know, if you would need this kind of functionality.
Can users still be managed in fynk after provisioning was activated?
Users can still be managed in fynk, but every SCIM sync will revert those changes as it always aims to reflect the user directory. Perspectively we'll probably deactivate user management entirely for SCIM managed accounts.