Skip to content
Create account or Sign in
The Stripe Docs logo
/
Create accountSign in

Set up SCIM provisioningPublic preview

Automatically provision and deprovision team members who are assigned access to Stripe from your Identity Provider (IdP).

By default, when you set up Single Sign-On with SAML, users are provisioned Just-In-Time (JIT) the first time they sign in to Stripe from your IdP. With SCIM, you can automatically provision team members in Stripe even before they sign in, and deprovision them on-demand when they should no longer have access to Stripe.

Stripe adheres to the SCIM 2.0 protocol, and only supports the following capabilities in public preview:

Users

  • Provision a user (not groups) to Stripe (POST /scim/v2/Users)
  • Retrieve a user from Stripe (GET /scim/v2/Users/<user_id>)
  • Update a user in Stripe (PUT /scim/v2/Users/<user_id> or PATCH /scim/v2/Users/<user_id>)
  • List all users in Stripe (GET /scim/v2/Users)
  • Deprovision a user from Stripe (DELETE /scim/v2/Users/<user_id>)

Behavior specific to Stripe

  • Stripe doesn’t support email updates. If you need to update the user’s email you need to re-provision the user with a new email.
  • We use the user’s email as a unique identifier for them.
  • Both user deactivation (PATCH to set active to false) and deletion (DELETE) result in deleting the user from the Stripe account.
  • The following user attributes are handled by Stripe: id, userName, displayName, active, meta. Stripe doesn’t handle other user attributes, so you don’t need to pass them in SCIM requests.

Groups

  • Provision a group to Stripe (POST /scim/v2/Groups)
  • Retrieve a group from Stripe (GET /scim/v2/Groups/<group_id>)
  • Update a group in Stripe (PUT /scim/v2/Groups/<group_id> or PATCH /scim/v2/Groups/<group_id>)
  • List all groups in Stripe (GET /scim/v2/Groups)
  • Deprovision a group from Stripe (DELETE /scim/v2/Groups/<group_id>)

Behavior specific to Stripe

  • We don’t support group name updates. If you need to rename a group you need to re-provision it with a new name.

How it works

When you enable SCIM provisioning, Stripe provisions users and groups based on requests to the Stripe SCIM endpoint, using the SCIM API key of your account or organisation. Existing users continue to have access to Stripe.

While SCIM handles provisioning for team members and groups, their roles are still managed independently through SAML in attribute statements passed by your IdP during login or in the Dashboard, based on your configuration for role assignment.

When your IdP or SCIM client provisions new team members to Stripe, they automatically display in your list of team members under Settings > Team and Security > Team. When your IdP or SCIM client deprovisions team members, we immediately revoke their access and remove them from your list of team members. Deprovisioned team members are automatically logged out of the Dashboard and can’t access Stripe. If your accounts belong to an organisation, you must configure both SSO and SCIM provisioning from your organisation. You can’t configure SSO or SCIM for individual accounts in an organisation.

When you provision a user through SCIM, and you configure role assignment to apply through SAML, the user isn’t assigned any permission until they sign on.

When you provision a group through SCIM, SAML role assignment is disabled. SCIM-based group sync synchronises group membership of users to Stripe, and Stripe enables you to assign a role to a synced group in the Stripe Dashboard. All members of the group then inherit this role.

You can’t assign a user a role through both SCIM and SAML. If you assign a role to a group that you sync through SCIM, the SAML group assertion is ignored if it was received in the federating entity SAML.

Hybrid configurations

If you assign a roll through group membership synced with SCIM to a user who authenticates through SSO and already has roles assigned through the Dashboard, Stripe considers the roles to be in union. You can’t assign a role to a user through both SAML and an SCIM-synced group. Use this guide to switch from SAML-based role assignment to group-based role assignment with SCIM. Contact Support if you need to switch back to the older SAML-based role assignment.

Before you begin

Before you can enable SCIM provisioning, you must first enable Single Sign-On. You can only enable SCIM provisioning in live mode accounts or organisations.

Enable SCIM provisioning

To enable SCIM provisioning in your account or organisation:

  1. From the Team and security settings page, go to SCIM provisioning and click Enable.
  2. Copy your SCIM endpoint URL and SCIM API key to your IdP or SCIM client.

Limitations

Rate limits

We use two types of rate limits:

  • Rate limit by the number of group memberships modified per second, and per account or organisation.
    • Don’t modify more than 100 group memberships per second, per account or organisation. We support bursts for up to 500 group membership modifications per second, but continuous traffic of 500 group membership modifications per second results in SCIM APIs returning a429 status code.
  • Rate limit by number of API requests per second.
    • Learn more about how the Stripe API uses rate limits to restrict the number of API requests per second.

Scale limits

250 groups can be synced per organisation.

Configure in Okta

If you’re configuring SCIM provisioning from Okta as your IdP:

  1. Open your Stripe application.
  2. Click the General tab. Edit your App Settings and click Enable SCIM provisioning.
  3. Click the Provisioning tab. Under Settings, click Integration and Edit.
  4. For SCIM connector base URL, enter https://access.stripe.com/scim/v2.
  5. For Unique identifier field for users, add email as the value.
  6. For Supported provisioning actions, select:
    • Push New Users
    • Push Profile Updates
    • Push Groups. Take note of the feature limitation when determining the groups you want to push to Stripe through SCIM
  7. For Authentication Mode, select HTTP Header.
  8. For Authorisation, enter your SCIM API key as the bearer token.
  9. Click Save.
  10. Under the Settings > To App tab, click Edit and enable the following:
    • Create Users
    • Deactivate Users

Configure in Entra ID

If you’re configuring SCIM provisioning from Entra ID as your IdP:

  1. Open your Stripe application under Enterprise applications.
  2. Click Provisioning > Connect your application.
  3. For Tenant URL, enter https://access.stripe.com/scim/v2.
  4. For Secret token, enter your SCIM API key.
  5. Click Test connection > Create.

Provisioning delay

Entra ID has a fixed automatic provisioning interval of 40 minutes.

Configure in Ping IDP

If you’re provisioning users from PingOne Identity into Stripe using SCIM:

  1. In the PingOne admin console, go to Integrations > Provisioning.
  2. Click New Connection.
  3. On the Identity Store line, click Select.
  4. Select the SCIM Outbound tile, and click Next.
  5. Enter a Name and Description, and click Next.
  6. In the Configure Authentication section, enter the value for the following fields:
    • SCIM Base URL: https://access.stripe.com/scim/v2.
    • Authentication Method: Choose OAuth 2 Bearer Token and set the Auth Type to Bearer.
  7. Click Test connection to verify that PingOne can establish a connection to the SCIM resource.

Disable SCIM provisioning

To disable SCIM provisioning:

  1. From the Team and security settings page, go to SCIM provisioning.
  2. Click Disable. This automatically deletes your SCIM API key.

Rotate a SCIM API key

To rotate your SCIM API key:

  1. From the Developers menu, go to API keys.
  2. Next to your SCIM API key, click the overflow menu () and select Rotate key.
On this page