SCIM (System for Cross-domain Identity Management) lets your identity provider automatically add and remove users from your Compound team. Instead of manually inviting and removing team members, your IdP pushes changes to Compound in real time — when you assign someone to the Compound app in your IdP, they are added to your team, and when you unassign them, they are removed.
Prerequisites
Before you can enable SCIM, your team must meet the following requirements:
- Enterprise SSO configured — SCIM requires an active SAML or OIDC SSO configuration. See Set Up SSO for Compound to configure SSO first.
- Team Owner role — Only Team Owners can enable and manage SCIM provisioning.
SCIM cannot be enabled until your team has a working SSO configuration (SAML or OIDC). The Enable SCIM button will not appear unless SSO is active.
Enable SCIM provisioning
Open SCIM settings
In Compound, navigate to Settings > Team. Scroll down to the SCIM Provisioning section below the SSO configuration.
Enable SCIM
Click Enable SCIM. Compound generates a SCIM endpoint URL and a bearer token for authenticating your identity provider.
Copy the endpoint URL and bearer token
After enabling, Compound displays:
- SCIM Endpoint URL — the base URL your IdP uses to communicate with Compound.
- Bearer Token — the authentication token your IdP includes in SCIM API requests.
Copy both values. You will need to enter them in your identity provider’s SCIM configuration.
The bearer token is displayed only once. Copy it immediately and store it securely. If you navigate away without copying the token, you will need to rotate it to generate a new one.
Configure your identity provider
After enabling SCIM in Compound, configure your IdP to use the endpoint URL and bearer token. See the provider-specific guide for your IdP:
- Set Up Okta SCIM Provisioning — Step-by-step guide for configuring SCIM with Okta
For other identity providers, enter the SCIM endpoint URL as the SCIM connector base URL, and the bearer token as the OAuth bearer token or API token, depending on your IdP’s terminology.
Rotate the bearer token
If the bearer token is compromised or you need to issue a new one:
- Go to Settings > Team > SCIM Provisioning.
- Click Rotate Token.
- Compound generates a new bearer token and invalidates the previous one immediately.
- Copy the new token and update it in your identity provider’s SCIM configuration.
After rotating the token, your IdP will not be able to make SCIM requests until you update the token in your IdP’s settings. Update it promptly to avoid provisioning interruptions.
Disable SCIM provisioning
To stop your IdP from provisioning users:
- Go to Settings > Team > SCIM Provisioning.
- Click Disable SCIM.
- Confirm the action in the dialog.
Disabling SCIM revokes the bearer token and stops all SCIM API requests from your IdP. Existing team members are not affected — they remain on the team. You can re-enable SCIM at any time, which generates a new endpoint URL and bearer token.
What happens during provisioning
When a user is provisioned
When your IdP sends a SCIM create request (e.g., when you assign a user to the Compound app in your IdP):
- If the user does not have a Compound account, one is created automatically using their email address.
- The user is added to your team as a Member.
- The user can immediately sign in via SSO.
When a user is deprovisioned
When your IdP sends a SCIM deactivate request (e.g., when you unassign a user from the Compound app or disable their account in your IdP):
- The user is removed from your team.
- Their Compound account is not deleted — only the team membership is removed.
- The user loses access to team resources but retains their personal account and data.
Team Owners cannot be deprovisioned via SCIM. If your IdP attempts to deactivate the team owner, the request will be rejected.
When a user is reactivated
If a previously deprovisioned user is reassigned to the Compound app in your IdP:
- The user is added back to your team as a Member.
- Their existing Compound account is reused — no new account is created.