/ /

SCIM configuration

Automatically synchronize users and groups to DevRev, reducing manual administration and keeping your workspace membership up to date.

Provisioning users and groups from your identity provider to DevRev minimizes the need for manual addition of each employee or group, reducing administrative errors, saving time, and lowering costs. DevRev supports SCIM 2.0 with both Okta and Microsoft Entra ID (Azure AD). If you use the Okta integration to import Okta identity data as DevRev objects, see the Okta AirSync Connector instead. For importing Azure Entra ID directory data (users, groups, roles, devices, audit logs) into DevRev, see the Azure Entra ID AirSync Connector instead.

Features

Push new users

Automatically adds newly created users in your identity provider to DevRev.

Push profile updates

Seamlessly syncs profile changes from your identity provider to DevRev.

Push user deactivation

Deactivation or removal of a user in your identity provider disables that user in DevRev. A disabled user cannot log in, but their work assignments and history are preserved in the workspace.

Push groups

Automatically reflects groups created or updated in your identity provider to DevRev. Roles are configured in DevRev and can be assigned to the synced groups, so access is automatically controlled through your identity provider's group membership.

Prerequisites

  • Obtain admin access to your identity provider (Okta or Microsoft Entra ID).

  • Obtain admin access to the respective workspace in DevRev.

  • Ensure SSO is enabled for the workspace. For details, see External identity provider setup.

đź“ť Note: Users provisioned through SCIM are created in a Shadow state: they have a record in the workspace but stay inactive until their first successful login, which activates the account. To review them, go to Settings > Users.

Enable SCIM in DevRev

This step is the same regardless of which identity provider you use.

  1. In DevRev, go to Settings > Security.

  2. Enable SCIM.

  3. Copy both the SCIM Base URL and the API token displayed on the page - you will need both values when configuring your identity provider.

đź“ť Note: The API token is only displayed once. If the token is lost, disable and re-enable SCIM to generate a new one.

Configure SCIM with Okta

Configure DevRev SCIM app

  1. Log in to Okta as an admin and go to Applications > Applications.

  2. Select DevRev SSO/SCIM App or SCIM 2.0 Test App from the catalog.

  3. Enter a valid app name (for example, DevRev) and the connection name configured while setting up SSO. This connection name is your DEV_ORG_SLUG, which you set during SSO configuration. Click Done.

  4. Add the integration and configure the basic details. Click Done.

  5. Set the application username format to Email. This value is treated as the userName in DevRev.

  6. Under the Provisioning tab, click Configure API Integration, enable it, then click Save.

  7. Paste the SCIM Base URL and API token (copied from DevRev in the earlier step) into the corresponding fields in Okta. Test the API credentials and click Save on success.

  8. Enable the following options for syncing to the application in Okta:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  9. The following fields are supported for the Okta-to-DevRev sync. Remove any others by clicking the cross button next to them.

    • userName (mapped from Okta email)

    • givenName (first name)

    • familyName (last name)

    • displayName

    • email

    • active (used for deactivation)

Provision users from Okta to DevRev

Once SCIM is configured, DevRev stops sending email invitations to new members. Users are provisioned automatically through Okta instead.

đź“ť Note: DevRev uses userName as the source of truth and as a unique identifier within the workspace. If a user's email is updated in DevRev, that change reflects as a userName change in Okta - always update both the email and userName simultaneously in Okta to keep them in sync. DevRev treats displayName as a user preference: it is synced on initial user creation, but subsequent updates from Okta do not override it, so users can keep their preferred display names.

  1. Select the Assignments tab.

  2. Choose the Assign drop-down menu and select Assign to People.

  3. Enter the name of the user you want to send to DevRev in the Search… box.

  4. Select Assign.

  5. Enter additional user details if needed, then select Save and Go Back.

Provision groups from Okta to DevRev

⚠️ Warning: DevRev enforces a unique constraint on group names—no two groups can share the same name. Click Refresh App Groups before pushing a new group to check whether the group already exists in DevRev and prevent errors.

Group import from DevRev into Okta is not supported: you can only push groups from Okta to DevRev, not pull them in the reverse direction.

  1. Navigate to the top of the application page and select Push Groups > Push Groups.

  2. Enter the group name in the Enter a group to push... box and select it.

  3. Select Save.

The provisioned group is created in DevRev with its associated members. To locate it, go to Settings > Groups.

Configure SCIM with Microsoft Entra ID (Azure AD)

Create a non-gallery enterprise application

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Navigate to Identity > Applications > Enterprise applications.

  3. Click + New application, then select Create your own application.

  4. Enter a name (for example, "DevRev SCIM") and select Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

Configure automatic provisioning

  1. In the enterprise application you just created, go to Provisioning and click Get started.

  2. Set the Provisioning Mode to Automatic.

  3. Under Admin Credentials, enter the values you copied from Settings > Security in DevRev:

    • Tenant URL: The SCIM Base URL.

    • Secret Token: The API token.

  4. Click Test Connection to verify that Entra ID can connect to the DevRev SCIM endpoint. On success, click Save.

Configure attribute mappings

DevRev's SCIM endpoint supports a limited set of attributes. You must remove unsupported default mappings to avoid provisioning errors (HTTP 400).

  1. Under Provisioning > Mappings, click Provision Microsoft Entra ID Users.

  2. Keep only the following attribute mappings and delete all others (including title, mailNickname, email type, and any extension attributes):

    Microsoft Entra ID attribute

    SCIM attribute

    Notes

    mail

    userName

    Source must be mail, not userPrincipalName. This is the unique identifier in DevRev.

    givenName

    name.givenName

    First name

    surname

    name.familyName

    Last name

    displayName

    displayName

    Synced on initial creation only

    mail

    emails[type eq "work"].value

    Primary email

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    active

    Controls user activation/deactivation

    Important: The title attribute is not supported by DevRev's SCIM endpoint and will cause 400 errors if included. The email type attribute must also be removed.

  3. Click Save.

  4. (Optional) Under Provision Microsoft Entra ID Groups, configure group provisioning if needed. The same attribute constraints apply - keep only displayName and members.

Start provisioning

  1. Return to the Provisioning overview page.

  2. Click Start provisioning to begin the initial sync cycle.

  3. Monitor progress under Provisioning logs to confirm users and groups are being created successfully.

Provision users from Entra ID to DevRev

Once provisioning is active, users assigned to the enterprise application (directly or via group assignment) are automatically provisioned to DevRev.

  1. In the enterprise application, go to Users and groups.

  2. Click + Add user/group.

  3. Select the users or groups you want to provision to DevRev.

  4. Click Assign.

Provision groups from Entra ID to DevRev

SCIM provisions users and groups from Entra ID into DevRev. Roles are configured in DevRev and can be assigned to the synced groups, so access is automatically controlled through Entra ID group membership.

⚠️ Warning: DevRev enforces a unique constraint on group names - no two groups can share the same name. Verify that no group with the same name already exists in DevRev before assigning it for provisioning.

Group import from DevRev into Entra ID is not supported: you can only push groups from Entra ID to DevRev, not pull them in the reverse direction.

Troubleshooting

General

  • Issue: API credentials test fails when configuring the integration.

    Solution: Verify that you copied the correct SCIM Base URL and API token from Settings > Security in DevRev and that SCIM is enabled. Tokens are only displayed once; if the token is lost, disable and re-enable SCIM to generate a new one.

  • Issue: A user provisioned via SCIM does not appear as active in DevRev.

    Solution: This is expected behavior. Provisioned users start in a Shadow state and become active only after their first login. Check Settings > Users to confirm the user was provisioned successfully.

  • Issue: Pushing a group fails with a name conflict error.

    Solution: A group with the same name may already exist in DevRev. In Okta, click Refresh App Groups before pushing. In Entra ID, check DevRev's Settings > Groups for conflicts.

Okta-specific

  • Issue: A user's email update in DevRev causes a mismatch with Okta.

    Solution: DevRev uses userName as the unique identifier. When updating a user's email, update both the email and userName fields simultaneously in Okta to keep the two systems in sync.

Microsoft Entra ID-specific

  • Issue: Provisioning fails with HTTP 400 errors.

    Solution: This is typically caused by unsupported attribute mappings. Remove the title attribute and email type from the provisioning mappings. Only the attributes listed in the attribute mapping table above are supported. After removing unsupported attributes, generate a new token/URL from DevRev and restart provisioning with the cleaned mappings.

  • Issue: PATCH requests for user updates are failing.

    Solution: Verify that no unsupported attributes are included in the update payload. Since Microsoft Entra ID may cache removed attribute mappings, you must restart the provisioning cycle after making mapping changes. Check the Entra ID provisioning logs for the specific attribute causing the failure.

  • Issue: Users are updated in DevRev but not added to groups.

    Solution: Ensure that group provisioning is enabled under Provisioning > Mappings > Provision Microsoft Entra ID Groups and that the groups are assigned to the enterprise application.

Was this article helpful?