SCIM (System for Cross-domain Identity Management) lets you automatically manage your team's Pinpoint accounts directly from your identity provider — so when someone joins or leaves your organisation, their Pinpoint access is updated automatically, without any manual work.
What is SCIM provisioning?
SCIM is a standard protocol that connects your identity provider (such as Okta, Microsoft Entra, or OneLogin) to apps like Pinpoint. Once connected, your identity provider becomes the place where you control who has access to Pinpoint, what group they belong to, and when their access is removed.
Supported identity providers
Pinpoint's SCIM integration (v2) has been fully tested with:
Other identity providers that support SCIM v2 should also work.
What you can do with SCIM in Pinpoint
✅ Provision and deprovision users
Automatically create Pinpoint accounts when users are added in your identity provider, and remove access when they leave.
✅ Provision Access Groups
SCIM Groups from your identity provider are created as Access Groups in Pinpoint.
Note: After a group is created via SCIM, you'll need to manually configure its permissions, visibilities, and notification settings inside Pinpoint.
✅ Manage Access Group membership
Assign users to Access Groups via your identity provider. When you move a user to a different group, Pinpoint will automatically update their permissions and visibilities to match the new group's settings.
Important limitation: Each user can only belong to one Access Group at a time.
✅ Control external recruiter accounts
External recruiter accounts can be managed via SCIM in the same way as internal users.
What SCIM doesn't currently support
Feature | Status |
Managing individual user roles or visibilities directly | ❌ Not supported — roles and visibilities are set at the Access Group level |
Preventing manual changes inside Pinpoint | ❌ Not supported — SCIM is not enforced as the sole source of truth |
Assigning users to more than one Access Group | ❌ Not supported |
Just-in-time provisioning via SAML | ❌ Not supported |
Attribute mapping
When your identity provider sends user or group data to Pinpoint, here's how the fields map across:
Users
Identity Provider field | Pinpoint field |
| Work email address |
| Given name |
| Family name |
| Time zone |
Groups
Identity Provider field | Pinpoint field |
| Access Group display name |
Timezone formatting
If you're syncing timezone data, it must be a valid IANA time zone identifier (also known as a "tz database" value).
Examples of valid values:
Europe/LondonAmerica/Los_AngelesAustralia/Sydney
Microsoft Entra users: Entra doesn't store timezones in this format by default, so you may need to use an expression with a switch function to map your users' timezones to valid IANA identifiers.
SCIM and SAML: how they work together
Pinpoint supports both SCIM and SAML, and they serve different purposes:
| SCIM | SAML |
Purpose | Provisioning (creating/removing accounts and groups) | Authentication (logging in) |
You can use both together — for example, use SCIM to provision users and manage group membership, while using SAML for single sign-on.
Using a UPN with SAML? If a user has been assigned a UPN (User Principal Name) via SCIM, they can use that UPN to log in via SAML (ask your CS representative to enable this for you).
How the sync works
Once your identity provider is configured to send data to Pinpoint's SCIM endpoint, Pinpoint runs a secondary internal synchronisation job to apply any changes — creating, updating, or removing users and groups as needed.