Getting Started
Migration Guide
Setup
Users
Profiles
Campaigns
Creators
TikTok Creator Marketplace
Reports
One-Sheet Builder
Integrations
Influencer Marketing FAQs

Influencer Marketing: User Provisioning using SCIM (Early Access)

Table of Contents

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) is an open standard that allows you to automatically manage user identities across different systems. With SCIM provisioning enabled, your identity provider (IdP) - such as Okta, Microsoft Entra ID, or OneLogin - can automatically create, update, and deactivate user accounts in Sprout Social Influencer Marketing, keeping your team roster in sync without any manual work.

What does SCIM do?

  • Automatic user creation — When you assign someone to the Sprout Social Influencer Marketing application in your IdP, their account is automatically created.
  • Profile sync — Changes to a user's name, email, or phone number in your IdP are automatically reflected in Sprout Social Influencer Marketing.
  • Automatic deactivation — When you unassign or deactivate a user in your IdP, their account is deactivated and all active sessions are revoked immediately.
  • Reactivation — Re-assigning a previously deactivated user in your IdP reactivates their account.

Prerequisites

Before setting up SCIM provisioning, make sure that:

  • SSO is enabled — SCIM requires Single Sign-On (SSO) to be configured for your organization first. See our Influencer Marketing: Single Sign-on documentation page if you haven't enabled it yet.
  • You have admin access in both Sprout Social Influencer Marketing and your identity provider.

Important: Most identity providers (including Okta, Microsoft Entra ID, and OneLogin) do not support SCIM provisioning on OIDC applications. You will need to create two separate apps in your IdP — one for SSO (OIDC) and one for SCIM provisioning. To keep user assignments in sync, we recommend creating a user group in your IdP and assigning it to both applications. This way, any user added to the group is automatically assigned to both SSO and SCIM.

Setting up SCIM in Sprout Social Influencer Marketing

Before configuring your identity provider, you need to enable SCIM and generate a bearer token in Sprout Social Influencer Marketing.

Step 1: Enable SCIM provisioning

  1. Go to Settings → Security.
  2. Find the SCIM Provisioning section.
  3. If SCIM is not yet enabled, click Enable. If you see a Disable button, SCIM is already active.

Step 2: Generate a SCIM token

  1. Click Generate Token.
  2. A dialog will appear warning you that the token will only be shown once. Click Generate.
  1. Copy the token using the Copy token to clipboard button. Store it in a secure location — you will not be able to view it again.
  2. Click Done.

After generating the token, you'll see it listed (partially masked) in the SCIM Provisioning section along with who created it and when.

 

Important: If you lose the token, click Regenerate Token to create a new one. This will invalidate the previous token and you will need to update it in your identity provider.

Values you'll need for your identity provider

Field Value
SCIM Base URL (Tenant URL) https://influencer.sproutsocial.com/scim/v2
Authentication method HTTP Header / OAuth Bearer Token
Bearer Token (API Token) The token you copied in Step 2

Configuring Okta

Note: Okta does not support SCIM provisioning on OIDC applications. If you already have an OIDC app configured for SSO, you will need to create a separate application for SCIM. We recommend creating a user group and assigning it to both apps so that users are provisioned for SSO and SCIM at the same time.

  1. In the Okta Admin Console, go to Applications → Applications and click Create App Integration.
  2. Select SWA - Secure Web Authentication as the sign-in method and click Next.
  3. Name the application (e.g., "Sprout Social Influencer Marketing - SCIM") and click Finish.
  4. Go to the General tab, scroll to App Settings, and click Edit. Under Provisioning, select SCIM and click Save.
  5. Go to the Provisioning tab and click Edit.
  6. Enter the following:
    • SCIM connector base URL: https://influencer.sproutsocial.com/scim/v2
    • Unique identifier field for users: userName
    • Supported provisioning actions: check Push New Users, Push Profile Updates, and Push Groups.
    • Authentication Mode: HTTP Header
    • Authorization: Paste the SCIM token you generated in Sprout Social Influencer Marketing.
  7. Click Test Connector Configuration to verify the connection. You should see a success message.
  8. Click Save.
  9. On the Provisioning tab, go to To App and click Edit.
  10. Enable the following:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  11. Click Save.
  12. Go to the Assignments tab to assign users or groups to the application. Assigned users will be automatically provisioned in Sprout Social Influencer Marketing.

Configuring Microsoft Entra ID (Azure AD)

Note: Entra ID does not support SCIM provisioning on OIDC app registrations. You will need to create a separate Enterprise application for SCIM provisioning. This is a different section from App registrations where your SSO (OIDC) app is configured. We recommend creating a user group and assigning it to both apps so that users are provisioned for SSO and SCIM at the same time.

  1. In the Microsoft Entra admin center, go to Identity → Applications → Enterprise applications.
  2. Click New application, then Create your own application.
  3. Name the application (e.g., "Sprout Social Influencer Marketing - SCIM"), select Integrate any other application you don't find in the gallery (Non-gallery), and click Create.
  4. Go to Provisioning in the left sidebar and click Get started.
  5. Set Provisioning Mode to Automatic.
  6. Under Admin Credentials, enter:
    • Tenant URL: https://influencer.sproutsocial.com/scim/v2
    • Secret Token: Paste the SCIM token you generated in Sprout Social Influencer Marketing.
  7. Click Test Connection to verify that Entra ID can connect. You should see a confirmation message.
  8. Click Save.
  9. Expand the Mappings section. Click on Provision Microsoft Entra ID Users to review the attribute mappings. The following attributes are supported:
    • userName → user's email address
    • displayName
    • name.givenName
    • name.familyName
    • emails[type eq "work"].value
    • phoneNumbers[type eq "work"].value
    • active
    • externalId
  10. We recommend mapping the Entra ID objectId (oid) attribute to externalId. This ensures each user has a stable, unique identifier that persists even if their email address changes.
  11. Remove or disable any mappings for unsupported attributes to avoid provisioning errors.
  12. Go back to the Provisioning page and set Provisioning Status to On.
  13. Assign users or groups under Users and groups to start provisioning.

Note: Entra ID runs provisioning cycles approximately every 40 minutes. The initial cycle may take longer. You can trigger a manual sync by clicking Provision on demand.

Configuring OneLogin

Note: OneLogin does not support SCIM provisioning on OIDC applications. If you already have an OIDC app configured for SSO, you will need to create a separate application for SCIM. We recommend creating a user group (role) and assigning it to both apps so that users are provisioned for SSO and SCIM at the same time.

  1. In the OneLogin Admin portal, go to Applications → Applications and click Add App.
  2. Search for "SCIM Provisioner with SAML (SCIM v2 Core)" and select it.
  3. Name the application (e.g., "Sprout Social Influencer Marketing - SCIM") and click Save.
  4. Go to the Configuration tab.
  5. Enter the following:
    • SCIM Base URL: https://influencer.sproutsocial.com/scim/v2
    • SCIM Bearer Token: Paste the SCIM token you generated in Sprout Social Influencer Marketing.
  6. Set API Connection to Enabled and click Save.
  7. Go to the Provisioning tab.
  8. Check Enable provisioning.
  9. Configure the following workflows as needed:
    • When users are created in OneLogin → Create user
    • When users are deleted in OneLogin → Deactivate
    • When user accounts are suspended in OneLogin → Suspend
  10. Click Save.
  11. Go to the Parameters tab to review attribute mappings. Ensure the following are mapped:
    • Email (userName)
    • First Name (name.givenName)
    • Last Name (name.familyName)
  12. Go to Users to assign users to the application.

Supported attributes

The following user attributes are supported for provisioning:

SCIM Attribute Description
userName The user's email address (required, must be unique)
name.givenName First name
name.familyName Last name
displayName Full display name
emails Email addresses (primary email is used)
phoneNumbers Phone number
active Whether the user is active or deactivated
externalId External identifier from the identity provider

FAQ

What happens when I reactivate a user?

If a user was previously deactivated via SCIM and you re-assign them in your identity provider, their account will be reactivated and they can log in again.

I lost my SCIM token. How do I get a new one?

Go to Settings → Security → SCIM Provisioning and click Regenerate Token. You can choose to invalidate the old token immediately or after 24 hours to allow for a smoother transition. Make sure to update the new token in your identity provider configuration.

Can I have multiple SCIM tokens?

No. Only one active SCIM token is supported per organization. Regenerating a token replaces the existing one.

Which identity providers are supported?

Sprout Social Influencer Marketing should support any identity provider that implements the SCIM 2.0 standard. We have tested with the following providers:

  • Okta
  • Microsoft Entra ID (formerly Azure AD)
  • OneLogin

Do I need SSO enabled to use SCIM?

Yes. SSO must be enabled for your organization before you can set up SCIM provisioning. SSO handles authentication (how users log in), while SCIM handles user lifecycle management (creating, updating, and deactivating accounts).

Do I need two apps in my identity provider?

Most likely, yes. Most identity providers (including Okta, Entra ID, and OneLogin) do not support SCIM on OIDC applications, so you'll need a separate app for SCIM provisioning. Use a user group to assign users to both apps at the same time.

Was this article helpful?

0 out of 0 found this helpful