How provisioning works in MCP Manager
MCP Manager is the SCIM service provider (the target): your IdP pushes changes to a SCIM endpoint that MCP Manager hosts for your workspace, authenticating every request with a bearer token issued specifically for your workspace. We provide both the endpoint and the token during onboarding. SCIM provisioning is independent of, but complementary to, single sign-on. SSO controls how people sign in; SCIM controls how their accounts and team membership are created and kept current. Most enterprise customers enable both: SCIM provisions users and their teams ahead of time, and SSO signs them in. They are configured as two separate applications in your IdP — the OIDC application for sign-in and the SCIM application for provisioning — each with its own assignment list.How users and teams stay in sync
After the initial setup, MCP Manager keeps users and team membership aligned with your IdP. The behaviors below define what happens through the user lifecycle.- Your IdP is the source of truth. Fields and team memberships that SCIM manages are owned by your IdP. In MCP Manager, those controls are locked, with the message: “This value is managed by an external identity provider (SCIM). To change it, update the user in your IdP — the change will sync back into MCP Manager on the next push.” To change a managed value, change it in your IdP.
- SCIM takes precedence. An administrator can still add a user to a SCIM-managed team manually — useful for granting immediate access — but the next push from your IdP reconciles membership to what the IdP says. Manual additions that the IdP does not reflect are overwritten on sync; team memberships an administrator created outside of SCIM (on teams not driven by a mapped group) are left untouched.
- Deactivation is a soft deactivation. When your IdP deactivates a user (or sends a delete), MCP Manager marks the account inactive and ends its workspace membership — but retains the user record so your audit history stays intact: every logged action keeps pointing at the real person who performed it, even after they leave. Re-activating the user in your IdP restores the account and re-applies their group-derived team membership.
- Deprovisioning is scoped to your managed domain. SCIM only manages the users your IdP provisions. Accounts that were added by other means — for example, a user on a different email domain, or a manually created account — are not deactivated by SCIM. Remove those manually if you no longer want them.
- SSO without SCIM still grants entry, not access. A user on a registered SSO domain who signs in before SCIM provisions them is created just-in-time and can sign in, but receives no team-based access until SCIM (or an administrator) places them on a team. See First sign-in and access.
Connect your IdP
Enabling SCIM is an assisted step. We turn it on for your workspace and issue the credentials; you connect your IdP.Add a SCIM application in your IdP
MCP Manager SCIM. You can leave the sign-in defaults as they are — this application is used only for provisioning, not for login.We enable SCIM and issue your credentials
Enter the base URL and token, then test
scim-test@yourcompany.com, never a real employee’s. After activation, a deactivated test user may remain visible in MCP Manager; it is safe to ignore or remove.Enable the provisioning actions
Hide the SCIM application from users
Assign users and map groups to teams
Once the connector is live, you choose who gets provisioned and which groups become teams. Assigning and pushing happen in your IdP; mapping happens in MCP Manager.Assign users to the SCIM application
Push the groups you want to become teams
Open the SSO / SCIM settings page
Create matching teams, or map to existing ones
Supported SCIM operations
MCP Manager implements the SCIM 2.0 protocol for users and groups, with the standard discovery endpoints (ServiceProviderConfig, ResourceTypes, and Schemas) so your IdP can negotiate capabilities automatically. The behaviors and limits below define what your IdP can rely on.
- Users. Create, fetch, list, update (
PUTandPATCH), and deactivate. Deactivating a user (active: falseor a delete) is a soft deactivation, as described in How users and teams stay in sync. Creating a user that already exists returns a conflict that points your IdP at the existing record, so retries are safe. - Groups. Create, fetch, list, update, and member add/remove. Group membership changes are translated into MCP Manager team membership through the mappings you configure.
- Filtering and paging. List requests support a simple
attribute eq "value"filter (for example, onuserName). Results are paginated, and a single page returns at most 500 records; larger requests are clamped to that ceiling. - Not supported. Bulk operations, sorting, ETag concurrency control, password change, and complex filter expressions are not supported. Requests that depend on them are rejected.
- Isolation and security. Each workspace’s SCIM endpoint is authenticated by its own bearer token, the token is stored encrypted, and every request is scoped to that workspace — one workspace’s token cannot read or change another workspace’s users or groups. SCIM activity is logged for auditing.
Troubleshooting
The connector test fails to authenticate
The connector test fails to authenticate
Users provisioned, but they have no access in MCP Manager
Users provisioned, but they have no access in MCP Manager
A pushed group did not become a team
A pushed group did not become a team
A user changed in the IdP but a field is locked in MCP Manager
A user changed in the IdP but a field is locked in MCP Manager
A deactivated user still appears
A deactivated user still appears
Frequently asked questions
Can SCIM assign roles?
Can SCIM assign roles?
Why can't I see the SSO / SCIM settings page?
Why can't I see the SSO / SCIM settings page?

