Why use SCIM?

Single source of truth - SCIM allows you to manage your users and groups in a single place, in your identity provider.
Automated - SCIM is an automated process that syncs your users and groups from your identity provider to Sana Agents.
Proactive - SCIM allows you to proactively provide access to assets to users in Sana Agents before they have signed in for the first time.

Prerequisites

Owner access to the Sana Agents workspace.
Domain Control Validation for the email domain of each synced user.
SAML SSO should already be configured in Sana Agents. If not you can follow our SSO guide.
If your SSO configuration in Sana Agents is marked as Legacy you need to migrate it to a new configuration.
Access to setup SCIM in your identity provider.

Log in as an owner to your Sana Agents workspace.
Navigate to Settings → Workspace settings... → General and scroll down to Sign in methods.
Expand the SAML SSO configuration you want to configure SCIM for.
Under the SCIM heading you can find the Base url.
Click the Generate token button and copy the SCIM token to your clipboard.

Follow the generic instructions or look below for instructions to specific identity providers.

In your identity provider. Navigate to the SSO application you have set up for Sana Agents.
Find the SCIM or provisioning section and enter the SCIM token and Base url you got from Sana Agents. The token is an Authorization header bearer token.
Use userName as the user identifier field.
Assign users and groups that you want to synchronize.
Enable the synchronization.

Microsoft Azure / Entra

In the search box, type "enterprise" and then click on the Enterprise applications result.
On the Enterprise applications page, search for the application you previously configured for Sana Agents and then click the correct entry in the list.
Click the Provision User Accounts card.
Click the New configuration button.
Paste the secret token and the base url into the Admin credentials fields. Then click the Test connection button.
When the test completes successfully, click the Create button at the bottom of the page.
In the left hand menu, click the Attribute mapping (Preview) option.
In the list, click the Provision Microsoft Entra ID Users entry.
In the Attribute Mappings make sure to use the same value for userName as you use for Name ID in the SAML attribute configuration. If a different value is used the user will have trouble signing in, or worst case, get a separate user created for them.
Assign the users and groups that you want to synchronize.
Enable the synchronization from the overview by clicking on the Start provisioning button.

Okta

Log in to the Okta admin dashboard. Navigate to the Applications page search for the app you previously configured for Sana Agents and the click the app in the search results.
Navigate to the General tab, and then click the Edit button in the APP Settings box.
Change the Provisioning setting to SCIM and click Save.
Navigate to the newly appeared Provisioning tab and click the edit button.
Apply the changes in the picture, described under it.
1. Change the Authentication Mode dropdown to HTTP Header and paste the previously copied token into the Authorization field.
2. Copy the SCIM Base url from the Sana Agents SSO configuration and paste it inte the field marked SCIM connector base URL.
3. Write "userName" in the Unique identifier field for users.
4. Update the Supported provisioning actions checkboxes to your desire. Our suggestion is to only enable the push options.
5. Click the Test Connector Configuration button, fix any errors and retest until you get the message Connector configured successfully.
6. Click the Save button.
Click the Edit button in the To App settings.
Check the boxes Create Users, Update User Attributes, and Deactivate Users. Then click Save.

Users and groups should now sync from your identity provider to Sana Agents.