Skip to content
Skip to main content

Set up SCIM provisioning for the Dashboard

Last updated:

Use SCIM to let your identity provider (IdP) manage Nylas Dashboard membership automatically. When you provision a user in Okta or Microsoft Entra ID, they get a Dashboard account; when you deactivate them, their Dashboard sessions are revoked within seconds. SCIM builds on your existing SAML SSO setup and uses the same Provisioning step in the SAML SSO settings.

SCIM (System for Cross-domain Identity Management) is an open standard, defined in RFC 7644 and published in 2015, for syncing user accounts between an identity provider and an application. With SCIM enabled, your IdP pushes user create, update, and deactivate events to Nylas over authenticated HTTP requests, so Dashboard membership stays in sync with your directory without manual invites or removals.

The main reason enterprises adopt SCIM is offboarding. SAML SSO alone handles login, but a former employee keeps their Dashboard account until someone removes it by hand. With SCIM, deactivating a user in your IdP soft-deletes their organization membership and revokes every active session immediately, closing the gap where old access lingers after someone leaves.

SCIM sits on top of SAML SSO, so you complete the SAML steps first. You need Admin or Owner access on the Nylas organization, a verified company domain, and a saved IdP metadata configuration. The Generate token button stays disabled until both a verified domain and a connected IdP exist.

Confirm these three prerequisites before configuring SCIM:

  • At least one verified company domain (the Verify your company domain step shows a green checkmark).
  • A saved IdP configuration (the Connect your identity provider step shows your Connected IdP card). See Custom SAML.
  • An IdP that supports SCIM 2.0 provisioning, such as Okta or Microsoft Entra ID.

Your IdP authenticates to the Nylas SCIM endpoint with a bearer token. Each token is generated from 32 bytes of cryptographically secure randomness and stored only as a salted HMAC-SHA256 hash, so the Dashboard shows the full value once and can never display or recover it later. Generate one token per IdP integration and give each a description so you can tell them apart.

  1. Open Settings > SAML SSO in the Nylas Dashboard and expand the Provisioning step.
  2. Copy the SCIM base URL shown at the top of the step. It looks like https://dashboard-api.nylas.com/scim/v2. You paste this into your IdP.
  3. Click Generate token. Add an optional description (for example, Okta production) and click Generate.
  4. Copy the token from the Save your SCIM token dialog. This is the only time the full value appears.
  5. Select I have saved this token in a secure location, then click Done.

Generated tokens appear in the Bearer tokens table with their prefix, description, creation date, and last-used time. To retire a token, click Revoke. Revocation takes effect immediately, and the next SCIM request using that token returns 401 Unauthorized.

Okta pushes user lifecycle events to Nylas once you enable API integration on the same app you created for SAML. Provisioning to the app supports three actions: create users, update user attributes, and deactivate users. Assign users or groups to the app, then run an import so Okta reconciles its directory with your organization.

  1. In the Okta Admin Console, open the app you created for SAML and go to the Provisioning tab.
  2. Click Configure API Integration and select Enable API integration.
  3. Paste the values from the Nylas Provisioning step:
    • Base URL: the SCIM base URL, for example https://dashboard-api.nylas.com/scim/v2.
    • API Token: the bearer token you generated.
  4. Click Test API Credentials to confirm Okta can reach the endpoint, then Save.
  5. Under Provisioning > To App, enable Create Users, Update User Attributes, and Deactivate Users.
  6. On the Assignments tab, assign the users or groups that should have Dashboard access.
  7. Run Provisioning > Import or wait for the next sync cycle.

Okta’s default attribute mappings work without changes across the 3 user fields Nylas reads: it sends userName as the work email, givenName as the first name, and familyName as the last name.

Microsoft Entra ID (formerly Azure AD) provisions users through the same enterprise application you used for SAML. Entra sends a GET /scim/v2/ServiceProviderConfig request when you test the connection, so a successful test confirms the token and base URL are correct before any users sync.

  1. In the Azure portal, open Enterprise applications, select your Nylas application, and open the Provisioning blade.
  2. Set Provisioning Mode to Automatic.
  3. Under Admin Credentials, enter:
    • Tenant URL: the SCIM base URL, for example https://dashboard-api.nylas.com/scim/v2.
    • Secret Token: the bearer token you generated.
  4. Click Test Connection, then Save.
  5. Under Mappings, confirm the Provision Azure Active Directory Users mapping sends userPrincipalName to userName, givenName to name.givenName, and surname to name.familyName.
  6. Assign users under Users and groups, then set provisioning Status to On.

Entra runs an initial cycle within about 40 minutes of turning provisioning on, then syncs on a recurring schedule. Deactivating or unassigning a user sends a deprovision request to Nylas on the next cycle.

Each SCIM operation from your IdP maps to a specific change in your Nylas organization. Provisioning creates the account and adds it to the org with your configured default role; deprovisioning removes org access and revokes sessions. The full deactivation-to-session-revocation path completes in seconds, not on a delayed batch job.

IdP actionNylas behavior
POST /scim/v2/UsersCreates the user, adds them to the org with the default role, and marks them provisioned by SCIM.
PATCH with active: falseSets the user inactive, soft-deletes org membership, and revokes all active sessions immediately.
PATCH with active: trueRestores org membership with the previous role.
DELETE /scim/v2/Users/{id}Removes org access and revokes sessions, same as deactivation.
GET /scim/v2/UsersLists users scoped to the token’s organization, with filter and pagination support.

SCIM-provisioned users show a Managed by SSO badge on the organization Members page. Nylas maps 4 fields from each SCIM user to the member record: userName becomes the email address (lowercased), name.givenName the first name, name.familyName the last name, and the SCIM id is stored as the external ID for reconciliation.

The Nylas SCIM server implements the RFC 7644 User resource and the ServiceProviderConfig discovery endpoint. It supports full user lifecycle management, filtering by userName, and pagination. Group provisioning is not available, so map IdP groups to Dashboard roles through SAML group-to-role mapping instead.

CapabilitySupported
Create, read, replace, update, delete usersYes
Filter by userName eq "[email protected]"Yes
Pagination with startIndex and countYes
ServiceProviderConfig discoveryYes
Group provisioning (/scim/v2/Groups)No
Bulk operationsNo
changePasswordNo

Nylas rate-limits SCIM requests per organization to 200 read and 60 write requests per minute. Most IdP sync cycles stay well under these limits; if you hit them during a large initial import, the IdP retries on its next cycle.

Google Workspace does not expose a native SCIM client for custom SAML applications, so it cannot push provisioning events to Nylas directly. The 2 providers with native SCIM support in this guide, Okta and Microsoft Entra ID, can broker Google Workspace, or you can rely on SAML for onboarding.

  • Rely on SAML JIT provisioning. With just-in-time provisioning enabled, a user’s Dashboard account is created on their first SAML login. This covers onboarding, but it does not deprovision users automatically when they leave.
  • Broker through Okta or Entra ID. Some organizations federate Google Workspace into Okta or Microsoft Entra ID and run SCIM from there, which restores automatic deprovisioning.

For onboarding-only automation, JIT provisioning in the Manage user access step is the simplest path for Google Workspace.

Most SCIM issues trace back to the bearer token, the base URL, or a user who already exists in the org through another path. Use the table below to map a symptom to a fix. A 401 almost always means the token is wrong or revoked, and a 409 means the user is already a member. If a large initial import stalls, remember the endpoint caps writes at 60 requests per minute per organization and the IdP retries on its next cycle.

SymptomLikely causeWhat to do
IdP returns 401 UnauthorizedToken is invalid, revoked, or mistypedGenerate a new token in the Provisioning step and update the secret in your IdP. Confirm there is no trailing space.
Test connection fails in the IdPWrong base URLCopy the SCIM base URL from the Provisioning step exactly. It ends in /scim/v2 with no trailing slash.
409 conflict when creating a userThe user is already in the org through an invite or SAML loginRemove the existing member first, or let them link via SAML login instead of provisioning through SCIM.
User deactivated in the IdP but still sees dataThe browser has a cached pageDeactivation revokes server-side sessions immediately; the client shows an error on the next request or page refresh.
Filter query returns nothingUnsupported filter expressionOnly userName eq "..." is supported. Requests with other filter attributes return 400.
Provisioning step is not visibleThe feature is not enabled for the orgSCIM is an enterprise feature. Contact your customer success partner to enable it.
  • Configure SAML SSO: Complete domain verification and IdP setup, the prerequisites for SCIM.
  • Custom SAML: Reference for service provider values and required attributes.
  • Troubleshooting: Fix common SAML setup and login errors.