Integrations > Authentication and SSO
SCIM provisioning
Keep your user list in sync automatically
Section titled “Keep your user list in sync automatically”SCIM connects Tallyfy to your identity provider’s directory so member accounts stay in sync without anyone clicking around. When someone is added to the right group in Okta, Microsoft Entra ID, or OneLogin, they get a Tallyfy account. When they leave, their access is removed and the seat frees up. You turn it on under Settings > Organization > Security > SCIM, on any paid plan.
SCIM (System for Cross-domain Identity Management)1 is the standard most identity providers use to push directory changes to apps. SAML signs people in. SCIM manages who exists. They do different jobs, and for larger teams you’ll usually want both.
What you get
Section titled “What you get”- Hands-off onboarding - new hires land in Tallyfy as soon as your IdP assigns them, before they ever log in.
- Automatic deprovisioning - when HR offboards someone in your directory, their Tallyfy access is cut and the seat is returned. This is the big one for cost control: you stop paying for ex-employees. One enterprise customer flagged exactly this problem, paying for seats of people who’d already left because removal was manual.
- Role mapping - IdP group membership can decide each person’s Tallyfy role, so admins stay admins and the rest stay standard or light.
Turn on SCIM and get your credentials
Section titled “Turn on SCIM and get your credentials”Each organization gets its own SCIM Base URL and a bearer token. The token authenticates your IdP to Tallyfy, so treat it like a password.
- Go to Settings > Organization > Security > SCIM and switch SCIM on.
- Copy the Base URL. You’ll paste this into your IdP’s SCIM connector.
- Generate the bearer token. Tallyfy shows it once, right after you generate it, so copy it now and store it in a safe place. You can’t view it again later.
- In your identity provider, open the Tallyfy provisioning settings and paste the Base URL and the bearer token. Per-IdP steps live in the Okta, Microsoft Entra ID, and OneLogin guides.
- Test the connection from your IdP, then assign users or groups to start syncing.
Rotate or revoke the token
Section titled “Rotate or revoke the token”If a token is exposed, or an admin who set it up leaves, regenerate it. Regenerating immediately revokes the old token, so any IdP still using the old one stops syncing until you paste the new one in.
- On the SCIM panel, click Regenerate token. Tallyfy asks you to re-enter your password first (a step-up check).
- Copy the new token (shown once) and update it in your identity provider’s SCIM settings.
- Confirm the next sync from your IdP succeeds with the new token.
Map IdP groups to Tallyfy roles
Section titled “Map IdP groups to Tallyfy roles”You can drive each member’s Tallyfy role from their group in your identity provider. Tallyfy reads reserved group names: provision a group whose name matches the reserved name for a role, and members of that group get that role.
| Reserved group name | Tallyfy role |
|---|---|
tallyfy-admins | Administrator |
tallyfy-standard | Standard |
tallyfy-light | Light |
Name the groups in your IdP to match, then provision them through SCIM. People who aren’t in any mapped group get your connection’s default role. If you change someone’s group in your IdP, their Tallyfy role updates on the next sync.
How deactivation works
Section titled “How deactivation works”When your IdP sends a deactivation (the user is set inactive or unassigned), Tallyfy disables that member and releases their seat back into your pool. The account isn’t deleted, so their task history stays intact for the record. If the same person is reactivated in your directory later, the next sync re-enables them.
Troubleshooting
Section titled “Troubleshooting”Sync not working as expected? Check these:
- The bearer token in your IdP matches the current Tallyfy token. If you regenerated it, the old one no longer works.
- The Base URL is the exact one from your org’s SCIM panel.
- The user or group is actually assigned to the Tallyfy app in your IdP.
- For role mapping, the IdP group name matches a reserved name exactly, including the
tallyfy-prefix. - Your IdP’s provisioning logs show what it sent. Most providers expose a per-user provisioning status that names the failing attribute.
Related articles
Section titled “Related articles”Authentication > Integrate Okta SSO
Authentication > Integrate Microsoft Entra ID SSO
Authentication > Integrate OneLogin SSO
Footnotes
Section titled “Footnotes”-
SCIM is an open standard (RFC 7644) for automating user provisioning and deprovisioning between identity providers and apps. ↩
Was this helpful?
- 2026 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks