Skip to main content

Configuring SCIM with fynk

How to set up user provisioning with fynk

Stefanie Kotynek avatar
Written by Stefanie Kotynek
Updated over 2 weeks ago

Introduction

In this article we will provide information about how to set up SCIM user provisioning between your internal user directory and fynk in no time.

You can use any directory that supports SCIM, such as Microsoft Entra ID (formerly Azure AD), Okta, or Google Workspace.

Prerequisites

You will need:

  • Support from an internal IT administrator

  • A fynk user account with the Admin or Owner role to access SCIM settings

Provider-specific requirements:

  • Microsoft Entra ID tenant with a license that supports app provisioning (e.g. Entra ID P1 or P2)

  • Okta admin account (with permissions for app integrations and provisioning)

πŸ’‘ Tip: We recommend creating two separate applications: one for SSO and one for SCIM. Enabling SSO first makes the SCIM setup easier later on.

Accessing SCIM settings in fynk

The configuration can be completed together by:

  • a fynk account owner or admin, and

  • an internal IT administrator

πŸ’‘ Note: Alternatively, the setup can be done by the IT administrator alone if they (temporarily) have a fynk user account with the Admin or Owner role.

Steps:

  1. Open fynk and go to Settings β†’ Integrations β†’ SCIM

  2. Click Create to start a new SCIM integration

  3. You’ll see the API token and Base URL β€” you’ll need these later in Microsoft Entra ID or Okta

Setting up SCIM in Microsoft Entra ID

1. Create an app

We recommend creating two applications: one for SSO and one for SCIM provisioning

2. Create user groups

In Entra ID, create five groups that correspond to fynk roles.
Group names can be chosen freely, but must contain the following strings:

  • account-limited-manager

  • account-manager

  • account-editor

  • account-admin

  • account-owner

Then:

  • Assign these groups to the Entra ID app used for SCIM

  • Add all users to their respective role groups#

⚠️ Important: Once provisioning is enabled:

  • Users without a matching group will be removed from fynk

  • Users whose group does not match their current role will be automatically updated in fynk. This may result in users losing access to fynk or specific areas such as Account Settings.

3. Enable provisioning

  • Open your app in Entra ID and Navigate to Provisioning

  • Set Provisioning Mode to Automatic

  • Enter the fynk Base URL and API token

  • Click Test Connection

  • If successful, click Save

4. Adjust attribute mappings

  1. Open Mappings

  2. Select Provision Microsoft Entra ID Users

⚠️ Important: Remove all attributes except:

  • userName

  • active

  • name.givenName

  • name.familyName

  • externalId

5. Start provisioning

  • Click Save to apply the mappings

  • Return to the provisioning overview

  • Select Start provisioning to activate synchronization

Setting up the SCIM integration in Okta

1. Create the fynk app in Okta

  • Log in to your Okta Admin Dashboard

  • Go to Applications β†’ Applications

  • Click Create App Integration

  • Select:

    • Sign-in method: SAML 2.0
      (If SSO is already enabled, the same app can also be used for SCIM)

    • Provisioning method: SCIM 2.0

  • Click Next

  • Name your app (optional: upload a logo)

Configure SAML settings

  • ACS URL from fynk β†’ Single sign-on URL

  • SP Entity ID from fynk β†’ Audience URI (SP Entity ID)

  • Name ID format β†’ EmailAddress

  • Click Next

  • Skip optional Okta questions

  • Click Finish

Applications β†’ Sign On

  • Copy the Metadata URL from Okta and paste it into fynk

  • Use the button to load all remaining information automatically

  • Click Save in fynk

Configure SSO in Okta

  • In Okta, go to General

  • Under Provisioning, click SCIM

  • Click Save

2. Configure the SCIM connection

  • In Okta, open Provisioning β†’ Integration

  • Enable API Integration

Enter the following:

  • SCIM connector base URL β†’ from fynk SCIM settings

  • Unique identifier field for users β†’ choose username OR email

  • Select supported provisioning actions

  • Set Authentication Mode to HTTP Header

  • Copy the API Token from fynk and paste it into Okta

  • Click Test Connector Configuration

  • Click Save

3. Enable user provisioning

Go to Provisioning β†’ To App

  • enable all options except ❌ Sync Password

  • Enabled options:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  • Click Save

Attribute mapping

⚠️ Important: Remove all attributes except:

  • userName

  • givenName

  • familyName

  • email

4. Create user groups

  1. Go to Directory β†’ Groups

  2. Create groups corresponding to fynk roles (names must contain the following strings):

  • account-limited-manager

  • account-manager

  • account-editor

  • account-admin

  • account-owner

Push groups

  • Go to Applications β†’ Push Groups

  • Push each group so it becomes active and connected

  • Select a group and click Save

Assign users

  • Go to Applications β†’ Assignments

  • Assign users to the appropriate groups

⚠️ Important: Once provisioning is enabled:

  • Users without a matching group will be removed from fynk

  • Role mismatches will be corrected automatically. This may limit access to fynk or specific sections such as Account Settings.

5. Start provisioning

  • Navigate to the fynk app in Okta

  • Open Provisioning β†’ To App

  • Click Force Sync to trigger the initial sync

  • After that, users are synchronized automatically (default interval: every 20–40 minutes).

Frequently Asked Questions

How can I set up SCIM provisioning with providers other than Entra ID?

If you need help configuring SCIM with another provider β€” or if we’ve missed your provider β€” please contact us via chat or email our support team.

Can I use provisioning without role assignment?

Unfortunately, this is not supported at the moment.
In this case, all users would be downgraded to the Manager role.

Can team memberships be managed via provisioning?

Team management via SCIM is currently not implemented.
Let us know if this functionality is important for you.

User management after activation

fynk users can still be managed directly in the product.
However, manual changes will be overwritten during the next SCIM sync.

In the long term, manual management for SCIM-managed users may be disabled.

Deactivating SCIM synchronization

If provisioning is disabled:

  • Existing users remain in fynk

  • Future changes from Entra ID or Okta are no longer synchronized

Which license is required for Entra ID provisioning?

SCIM provisioning requires at least Microsoft Entra ID P1 or P2.

Which license is required for Okta provisioning?

An Okta admin account with permissions for app integrations and provisioning is required.

How often does synchronization run?

By default, every 20–40 minutes.
A manual sync can be triggered in Entra ID via Sync now.

Known limitations (Microsoft & SCIM standard)

  • Nested groups are currently not supported

  • Group memberships cannot yet be used as team assignments in fynk

  • In certain cases, Entra ID may deviate from the SCIM 2.0 standard
    (see Microsoft’s SCIM provisioning known issues for details)

πŸ’β€β™€οΈ Our expert Support Team is on standby. Engage with us via our chat feature or reach out at [email protected] for any assistance πŸš€.

Related Articles
Managing account settings in fynk
User roles in fynk
Configuring SSO in fynk
Initial Account Setup - Users & Access
Initial Account Setup - Language, Internal Parties and Account Security
Did this answer your question?