> ## Documentation Index
> Fetch the complete documentation index at: https://help.skillsdb.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Identity & Provisioning Overview

> How SkillsDB handles user identity and automated provisioning through Single Sign-On and SCIM integration with your identity provider.

<Info>
  **Quick Summary:** SkillsDB separates authentication (who you are — handled by SSO) from provisioning (which user accounts exist and what they can do — handled by SCIM). Most customers configure both so users sign in with their corporate credentials and their accounts stay in sync with the identity provider automatically.
</Info>

## Overview

SkillsDB integrates with your identity provider (IdP) — such as Microsoft Entra ID (Azure AD), Okta, or OneLogin — through two independent mechanisms:

* **Single Sign-On (SSO)** lets users sign in to SkillsDB using their existing corporate credentials. SSO handles authentication at sign-in time only.
* **SCIM (System for Cross-domain Identity Management)** keeps SkillsDB user accounts in sync with your IdP automatically. SCIM handles account creation, attribute updates, group membership, and deactivation — everything that happens around the account, outside of sign-in.

You can configure SSO without SCIM (users sign in via SSO but their accounts are managed manually in SkillsDB), SCIM without SSO (accounts stay in sync automatically but users sign in with username and password), or both. Most customers configure both.

SCIM support in SkillsDB covers:

* User creation, updates, and deactivation driven by the IdP
* Group membership mapping to SkillsDB permission levels
* Manager hierarchy syncing via Entra's `enterprise_extension.manager` attribute
* Automatic career assignment when users are provisioned into specific groups
* An audit log of every provisioning event for compliance and troubleshooting

## How the SCIM pipeline works

SkillsDB receives SCIM events through Stytch, its authentication and identity platform. This layer handles the SCIM 2.0 protocol and forwards events to SkillsDB as signed webhooks.

```
Identity Provider (Entra, Okta, etc.)
        │
        │ SCIM 2.0
        ▼
      Stytch
        │
        │ Signed webhook
        ▼
     SkillsDB
```

For customers, this means:

* Configuration lives in the IdP and in the SkillsDB SSO & SCIM settings page — not in SkillsDB code or APIs
* SkillsDB does not expose a SCIM endpoint that customers integrate against directly
* Changes in the IdP appear in SkillsDB within one sync cycle

## Where to configure SCIM in SkillsDB

Navigate to **Settings > SSO & SCIM** and select **Configure SSO and SCIM settings**. This page is visible only to administrators. It contains:

* The **Last SCIM sync** timestamp
* Two buttons in the top right: **Event Log** and **Create SCIM Group**
* Two admin-assistance links — **Users without a current manager** and **Users with a manager assigned**
* The **Default SCIM Groups** table with the two built-in groups
* The **Custom SCIM Groups** table listing every custom group your administrators have created or that has been auto-created from IdP events

When no SCIM connection is active, the page shows a message prompting you to configure SCIM in your identity provider — the group-management UI is hidden in this state.

## Related Articles

<CardGroup cols={2}>
  <Card title="SCIM Setup" icon="gear" href="/identity-and-provisioning/scim-setup">
    Step-by-step configuration for Microsoft Entra ID, including the enterprise application, Tenant URL and Secret Token, and attribute mapping.
  </Card>

  <Card title="SCIM Groups and Permissions" icon="users-gear" href="/identity-and-provisioning/scim-groups-and-permissions">
    The two default groups, custom SCIM groups, the three permission levels (Admin, Full Access, Basic), and automatic Manager promotion.
  </Card>

  <Card title="SCIM Career Automations" icon="briefcase" href="/identity-and-provisioning/scim-career-automations">
    Automatically assign careers to users when they are provisioned into specific SCIM groups, with configurable scope.
  </Card>

  <Card title="SCIM Event Log" icon="clipboard-list" href="/identity-and-provisioning/scim-event-log">
    The audit trail for every provisioning event — filter, export, and troubleshoot sync issues.
  </Card>

  <Card title="Azure Sync Considerations" icon="triangle-exclamation" href="/identity-and-provisioning/azure-sync-considerations">
    Known Entra limitations for email changes, manager assignment, and deactivation, plus workarounds.
  </Card>

  <Card title="Sign-in and SSO" icon="right-to-bracket" href="/core-concepts/sign-in-and-sso">
    How Single Sign-On works in SkillsDB, independent of SCIM provisioning.
  </Card>
</CardGroup>

## Common Questions

<AccordionGroup>
  <Accordion title="Do I need SCIM if I already have SSO configured?">
    No, SSO works independently. Without SCIM, a SkillsDB administrator must create, update, and deactivate user accounts manually. With SCIM, those actions happen automatically based on changes in your identity provider.
  </Accordion>

  <Accordion title="Does SkillsDB expose a public SCIM endpoint I can integrate with?">
    No. SkillsDB's SCIM layer runs through Stytch, which handles the SCIM 2.0 protocol on SkillsDB's behalf. You configure SCIM in your identity provider using the Tenant URL and Secret Token that SkillsDB Support provides — you do not integrate against a SkillsDB-hosted endpoint.
  </Accordion>

  <Accordion title="Which identity providers are supported?">
    Any IdP that supports SCIM 2.0, including Microsoft Entra ID (Azure AD), Okta, OneLogin, Google Workspace, and others. The [SCIM Setup](/identity-and-provisioning/scim-setup) guide covers Entra specifically — contact SkillsDB Support for setup instructions for other providers.
  </Accordion>

  <Accordion title="How do I give a SCIM-provisioned user admin rights?">
    Add them to the `SkillsdbGlobalAdmins` group in your identity provider. The next SCIM sync will upgrade their SkillsDB permission level to Admin. See [SCIM Groups and Permissions](/identity-and-provisioning/scim-groups-and-permissions) for the full mapping.
  </Accordion>

  <Accordion title="What happens to SCIM-provisioned users if I disable SCIM?">
    Existing users remain in SkillsDB with their current state. Administrators regain manual control and must manage users directly from then on. SkillsDB does not deactivate or delete users when SCIM is disabled.
  </Accordion>
</AccordionGroup>

## Need More Help?

For setup assistance or architectural questions about identity integration, reach out to your organization's SkillsDB administrator or contact [SkillsDB Support](https://www.skillsdb.com/support).
