Set up automatic user provisioning with SCIMPrivate preview

By default, when you set up Single Sign-On with SAML, users are provisioned Just-In-Time (JIT) the first time they sign into Stripe from your IdP. With SCIM, you can automatically provision team members in Stripe even before they sign in, and deprovision them on-demand when they should no longer have access to Stripe.

Stripe adheres to the SCIM 2.0 protocol, and only supports the following capabilities in private preview:

• Provision a user (not groups) to Stripe (POST /scim/v2/Users)
• Retrieve a user from Stripe (GET /scim/v2/Users/<user_id>)
• Update a user in Stripe (GET /scim/v2/Users/<user_id>)
• List all users in Stripe (GET /scim/v2/Users)
• Deprovision a user from Stripe (DELETE /scim/Users/<user_id>)

How it works

When you enable SCIM provisioning, Stripe stops Just-In-Time (JIT) provisioning for new users, and starts provisioning users based on requests to Stripe’s SCIM endpoint using your account or organization’s SCIM API key. Existing users continue to have access to Stripe.

While SCIM handles provisioning for team members, their roles are still managed independently through SAML, based on attribute statements passed by your IdP during login. When a user is provisioned through SCIM, they aren’t assigned any permissions until the user signs in.

When your IdP or SCIM client provisions new team members to Stripe, they automatically appear in your list of team members under Settings > Team and Security > Team. When your IdP or SCIM client deprovisions team members, their access is immediately revoked, and they’re removed from your list of team members. If a team member who is deprovisioned is currently in the Dashboard, they are automatically logged out, and unable to access Stripe. If your accounts belong to an organization, you must configure both SSO and SCIM provisioning from your organization. You can’t configure SSO or SCIM for individual accounts in an organization.

Before you begin

Before you can enable SCIM provisioning, you must first enable Single Sign-On.

Enable SCIM provisioning

To enable SCIM provisioning in your account or organization:

1. Navigate to Settings > Team and Security > SCIM provisioning.
2. Click Enable.
3. Copy your SCIM endpoint URL and SCIM API key to your IdP or SCIM client.

If you’re configuring SCIM provisioning from Okta as your IdP:

1. Open your Stripe application.
2. Click on the Provisioning tab. Under Settings, click Integration and Edit.
3. For SCIM connector base URL, add https://api.stripe.com/scim/v2 as the value.
4. For Unique identifier field for users, add email as the value.
5. For Supported provisioning actions, select:
   • Push New Users
   • Push Profile Updates
6. For Authentication Mode, select HTTP Header.
7. For Authorization, paste your SCIM API key as the bearer token.
8. Click Save.
9. Under the Settings > To App tab, click Edit and enable:
   • Create Users
   • Deactivate Users

Disable SCIM provisioning

To disable SCIM provisioning:

1. Navigate to Settings > Team and Security > SCIM provisioning.
2. Click Disable.

Rotate a SCIM API key

To rotate your SCIM API key:

1. Navigate to Settings > Team and Security > SCIM provisioning.
2. Next to your SCIM API key, click the icon to rotate your API key.