Set up automatic user provisioning with SCIMPublic preview

By default, when you set up Single Sign-On with SAML, users are provisioned Just-In-Time (JIT) the first time they sign into Stripe from your IdP. With SCIM, you can automatically provision team members in Stripe even before they sign in, and deprovision them on-demand when they should no longer have access to Stripe.

Stripe adheres to the SCIM 2.0 protocol, and only supports the following capabilities in private preview:

• Provision a user (not groups) to Stripe (POST /scim/v2/Users)
• Retrieve a user from Stripe (GET /scim/v2/Users/<user_id>)
• Update a user in Stripe (PUT /scim/v2/Users/<user_id> or PATCH /scim/v2/Users/<user_id>)
• List all users in Stripe (GET /scim/v2/Users)
• Deprovision a user from Stripe (DELETE /scim/Users/<user_id>)

How it works

When you enable SCIM provisioning, Stripe provisions users based on requests to the Stripe SCIM endpoint, using your account’s or organization’s SCIM API key. Existing users continue to have access to Stripe.

While SCIM handles provisioning for team members, their roles are still managed independently through SAML, based on attribute statements passed by your IdP during login. When a user is provisioned through SCIM, they aren’t assigned any permissions until the user signs in.

When your IdP or SCIM client provisions new team members to Stripe, they automatically appear in your list of team members under Settings > Team and Security > Team. When your IdP or SCIM client deprovisions team members, their access is immediately revoked and they’re removed from your list of team members. Deprovisioned team members are automatically logged out of the Dashboard and unable to access Stripe. If your accounts belong to an organization, you must configure both SSO and SCIM provisioning from your organization. You can’t configure SSO or SCIM for individual accounts in an organization.

Before you begin

Before you can enable SCIM provisioning, you must first enable Single Sign-On.

Enable SCIM provisioning

To enable SCIM provisioning in your account or organization:

1. From the Team and security settings page, go to SCIM provisioning and click Enable.
2. Copy your SCIM endpoint URL and SCIM API key to your IdP or SCIM client.

Configure in Okta

If you’re configuring SCIM provisioning from Okta as your IdP:

1. Open your Stripe application.
2. Click on the General tab. Edit your App Settings and click Enable SCIM provisioning.
3. Click on the Provisioning tab. Under Settings, click Integration and Edit.
4. For SCIM connector base URL, enter https://access.stripe.com/scim/v2.
5. For Unique identifier field for users, add email as the value.
6. For Supported provisioning actions, select:
   • Push New Users
   • Push Profile Updates
7. For Authentication Mode, select HTTP Header.
8. For Authorization, enter your SCIM API key as the bearer token.
9. Click Save.
10. Under the Settings > To App tab, click Edit and enable the following:
    • Create Users
    • Deactivate Users

Configure in Entra ID

If you’re configuring SCIM provisioning from Entra ID as your IdP:

1. Open your Stripe application under Enterprise applications.
2. Click on Provisioning and Connect your application.
3. For Tenant URL, enter https://access.stripe.com/scim/v2.
4. For Secret token, enter your SCIM API key.
5. Click Test connection, and then click Create.

Disable SCIM provisioning

To disable SCIM provisioning:

1. From the Team and security settings page, go to SCIM provisioning.
2. Click Disable. Your SCIM API key is automatically deleted.

Rotate a SCIM API key

To rotate your SCIM API key:

1. From the Developers menu, go to API keys.
   • If you are managing an organization, go to Organizations API keys.
2. Next to your SCIM API key, click the overflow menu () and select Rotate key.