> ## Documentation Index
> Fetch the complete documentation index at: https://docs.base44.com/llms.txt
> Use this file to discover all available pages before exploring further.
# SCIM provisioning
> Automatically sync your identity provider's users with your Base44 enterprise workspace using SCIM 2.0.
SCIM (System for Cross-domain Identity Management) lets your identity provider (IdP) automatically manage Base44 workspace members. When someone joins or leaves your organization in your IdP, Base44 is updated automatically, with no manual invites or removals needed.
SCIM provisioning is available on enterprise workspaces only.
Base44 supports SCIM 2.0 with the following identity providers:
* **Okta**
* **Microsoft Entra ID** (formerly Azure AD)
* **Custom IdP**, any SCIM 2.0-compatible identity provider
***
## Before you begin
Before setting up SCIM, make sure you have:
* Owner or admin access to your Base44 workspace
* A Workspace API key (found in **Settings** → **Secrets**)
* Your SCIM Base URL (found in **Settings** → **Auth and security**)
***
## IdP setup
Select your identity provider below for step-by-step setup instructions.
Okta is a cloud-based identity provider. Use this setup if your organization manages users through Okta.
### Step 1: Create a SCIM app in Okta
Okta OIDC apps do not support SCIM directly, so you need a separate SCIM app.
**To create a SCIM app:**
1. In Okta, go to **Applications** → **Browse App Catalog**.
2. Search for **SCIM 2.0 Test App (Header Auth)**.
3. Click **Add Integration**.
4. Name the app (for example, `Base44 - SCIM Provisioning`).
5. Click **Done**.
### Step 2: Connect the app to Base44
Point Okta to your Base44 workspace by entering your SCIM Base URL and Workspace API key.
**To configure the API integration:**
1. Open your new SCIM app and go to the **Provisioning** tab.
2. Click **Configure API Integration**.
3. Check **Enable API integration**.
4. Set the **SCIM 2.0 Base URL** to the URL copied from **Settings** → **Auth and security** in your Base44 workspace.
5. Set **API Token** to your Workspace API key.
6. Click **Test API Credentials**. You should see a success confirmation.
7. Click **Save**.
### Step 3: Enable provisioning actions
Choose which actions Okta can perform on Base44 workspace members.
**To enable provisioning:**
1. In the **Provisioning** tab, click **To App**.
2. Enable:
* **Create Users**
* **Update User Attributes**
* **Deactivate Users**
3. Click **Save**.
### Step 4: Set up custom attributes
Add Base44-specific attributes to your Okta profile and map them to your SCIM app.
**To add the `role` attribute:**
1. Go to **Directory** → **Profile Editor** and find your SCIM app.
2. Click **Add Attribute**.
3. Fill in the settings:
* **Data type:** String
* **Display name:** Role
* **Variable name:** `role`
* **External name:** `role`
* **External namespace:** `urn:base44:params:scim:schemas:extension:user:2.0`
* **Enum:** Check **Define enumerated list of values** and add `admin`, `editor`, `viewer`
* **Attribute required:** No
4. Click **Save**.
**To add the `creditLimit` attribute (optional):**
Skip this if you do not want per-member credit caps. The default is no cap.
1. In the same Profile Editor, click **Add Attribute**.
2. Fill in the settings:
* **Data type:** Integer
* **Display name:** Credit Limit
* **Variable name:** `creditLimit`
* **External name:** `creditLimit`
* **External namespace:** `urn:base44:params:scim:schemas:extension:user:2.0`
* **Attribute required:** No
3. Click **Save**.
**To map the attributes:**
1. Go to your SCIM app → **Provisioning** → **To App** → **Attribute Mappings**.
2. Set:
* `userName` ← `user.email`
* `role` ← `"editor"` (or map from your IdP's role attribute)
* `creditLimit` ← your preferred value or IdP attribute (if you added it)
3. Remove any unsupported mappings (firstName, lastName, displayName).
4. Click **Save**.
### Step 5: Test provisioning
Assign a test user to confirm that provisioning and deactivation work as expected.
Each user must be assigned to both your **Base44 SSO** app and your **Base44 SCIM Provisioning** app in Okta. Assigning to SCIM only will provision the user but they will not be able to log in via SSO.
**To test that provisioning works:**
1. In Okta, go to **Directory** → **People**.
2. Click on your test user.
3. Go to the **Applications** tab.
4. Click **Assign Applications**.
5. Select **Base44 - SSO Workspace** and **Base44 - SCIM Provisioning**, then click **Assign**.
6. Set `role` to `editor`, `admin`, or `viewer`. Optionally set `creditLimit`.
7. Click **Save and Go Back** → **Done**.
8. Check your Base44 workspace members to confirm the user appeared.
**To test deactivation:**
1. In the **Assignments** tab, click **Unassign** next to the test user.
2. Confirm the removal.
3. Check that the user no longer appears as an active member in Base44.
Microsoft Entra ID (formerly Azure AD) is Microsoft's cloud identity platform. Use this setup if your organization manages users through Microsoft 365 or Azure.
### Step 1: Create an enterprise application
Create a new enterprise application in Entra to represent your Base44 SCIM integration.
**To create an enterprise application:**
1. In the Microsoft Entra admin center, go to **Identity** → **Applications** → **Enterprise applications**.
2. Click **New application**.
3. Click **Create your own application**.
4. Enter a name (for example, `Base44 SCIM Provisioning`) and select **Integrate any other application you don't find in the gallery**.
5. Click **Create**.
### Step 2: Configure provisioning
Connect Entra to your Base44 workspace using your SCIM Base URL and Workspace API key.
**To configure SCIM provisioning:**
1. Open your new enterprise application and go to **Provisioning**.
2. Set **Provisioning Mode** to **Automatic**.
3. Under **Admin Credentials**, set:
* **Tenant URL:** The SCIM Base URL copied from **Settings** → **Auth and security** in your Base44 workspace.
* **Secret Token:** Your Workspace API key.
4. Click **Test Connection** to verify the credentials.
5. Click **Save**.
### Step 3: Configure attribute mappings
Add Base44-specific attributes to the Entra attribute mappings so roles and credit limits are synced correctly.
**To add the `role` attribute mapping:**
1. Under **Mappings**, click **Provision Microsoft Entra ID Users**.
2. Click **Add New Mapping**.
3. Set:
* **Mapping type:** Expression or Constant
* **Source attribute:** The Entra attribute that stores the user's role, or a constant such as `"editor"`
* **Target attribute:** `urn:base44:params:scim:schemas:extension:user:2.0:role`
4. Click **OK**.
**To add the `creditLimit` attribute mapping (optional):**
1. Click **Add New Mapping**.
2. Set:
* **Mapping type:** Constant or Expression
* **Source attribute:** Your preferred source
* **Target attribute:** `urn:base44:params:scim:schemas:extension:user:2.0:creditLimit`
3. Click **OK**.
4. Click **Save**.
### Step 4: Assign users and start provisioning
Choose which users or groups should be provisioned to Base44, then activate the sync.
**To assign users to Base44:**
1. Go to **Users and groups** in your enterprise application.
2. Click **Add user/group**.
3. Select the users or groups you want to provision to Base44.
4. Click **Assign**.
**To start provisioning:**
1. Go to **Provisioning**.
2. Click **Start provisioning**.
Entra will begin syncing the assigned users to your Base44 workspace.
Any SCIM 2.0-compatible identity provider can connect to Base44. Use the following settings to configure your IdP.
### Connection settings
Use the following values when configuring SCIM in your IdP.
| Setting | Value |
| ------------------ | ----------------------------------------------------------------------- |
| **SCIM base URL** | Copy from **Settings** → **Auth and security** in your Base44 workspace |
| **Authentication** | HTTP header: `Authorization: YOUR_WORKSPACE_API_KEY` |
| **SCIM version** | 2.0 |
Your Workspace API key goes directly in the `Authorization` header. Both `Authorization: YOUR_API_KEY` and `Authorization: Bearer YOUR_API_KEY` are accepted.
### Attribute mapping
Map the following attributes in your IdP:
| SCIM field | Value | Notes |
| --------------------------------------------------------------- | ------------------------------ | -------------------------------------------------------------------------------------- |
| `userName` | User's email address | Required |
| `urn:base44:params:scim:schemas:extension:user:2.0:role` | `admin`, `editor`, or `viewer` | Defaults to `viewer` if omitted |
| `urn:base44:params:scim:schemas:extension:user:2.0:creditLimit` | Non-negative integer | Optional. Leave empty for no per-member cap. Setting this to `0` is treated as no cap. |
When sending extension attributes, include the Base44 extension schema URI in the `schemas` array of your SCIM request:
```
urn:base44:params:scim:schemas:extension:user:2.0
```
***
## Managing your members
Once SCIM is set up, your IdP handles membership changes automatically. Here is what happens in Base44 for each action.
### Adding members
When you assign a user to your SCIM app, Base44 creates their workspace membership automatically. The user can sign in to Base44 using SSO once they are provisioned.
### Updating members
When you update a user's attributes in your IdP (such as their role or credit limit), Base44 updates their workspace membership to match.
Workspace owners cannot be updated or deactivated via SCIM. Owners must be promoted or demoted from the workspace settings directly.
### Removing members
When you unassign a user from your SCIM app, Base44 removes them from the workspace. Their platform-wide Base44 account is not deleted, and they retain access to any other workspaces they belong to.
If you need to re-add a previously removed member, re-assign them in your IdP. Base44 will create a new workspace membership.
***
## Roles
Base44 uses roles to control what each member can do. You assign a role when provisioning a user via SCIM, and you can update it at any time.
| Role | What they can do |
| -------- | --------------------------------------------------------------- |
| `admin` | Manage members, billing, and workspace settings |
| `editor` | Build, edit, and run apps; uses credits from the workspace pool |
| `viewer` | Read-only access to apps; does not consume credits |
`owner`, `member`, and `guest` roles cannot be assigned via SCIM. If your IdP has groups mapped to those roles, update the mapping to use `admin`, `editor`, or `viewer` instead.
### Per-member credit limits
You can optionally cap how many credits a single member can use per month. Set `creditLimit` to a positive integer to apply a cap, or leave it empty for no limit.
Credit limits only apply to `admin` and `editor` roles. Viewers cannot consume credits, so setting a credit limit on a viewer returns an error. Setting `creditLimit` to `0` is treated as no cap.
You can also set credit limits directly from your workspace settings without going through SCIM. See [Managing enterprise workspace members](/Enterprise/managing-enterprise-members#per-member-credit-limits).
***
## Troubleshooting
If provisioning is not working as expected, the steps below cover the most common errors and how to fix them.
Check that your Workspace API key is correct. Verify the SCIM Base URL was copied from Settings → Auth and security and has not been modified.
Check your IdP's provisioning logs for specific errors. Confirm `role` is set to `admin`, `editor`, or `viewer`.
This is by design. Workspace owners must be promoted or demoted from the Base44 dashboard. SCIM cannot modify owner memberships.
`creditLimit` can only be set on `admin` or `editor` roles. Either change the role to `editor` or `admin`, or remove the `creditLimit` value.