SCIM provisioning
Push users, deprovisions, and group changes from your IdP into Orvine automatically.
SCIM is available on Business and Enterprise plans. It requires SSO to be configured first.
Endpoint and credentials
Orvine implements SCIM 2.0 (RFC 7644) with bearer-token authentication. Generate the token from Settings → SCIM. Rotate it at least every 12 months; you can keep two tokens active during a rotation window.
Base URL: https://scim.orvine.app/v2/<org_id>
Auth: Authorization: Bearer <scim_token>
Resources: /Users /Groups /ServiceProviderConfig /Schemas
Filters: eq, sw, co, pr (per RFC 7644)
Patch: application/scim+json, PATCH opsAttribute mapping
Orvine accepts standard SCIM 2.0 core and enterprise extension attributes. The default mapping is below; per-org overrides can be set in the admin console.
| SCIM attribute | Orvine field | Note |
|---|---|---|
| userName | Used as the canonical login identifier. | |
| name.givenName | first_name | Display name component. |
| name.familyName | last_name | Display name component. |
| emails[type eq 'work'].value | Falls back to userName when absent. | |
| active | status | false deprovisions; true reactivates. |
| title | title | Job title; used by onboarding journeys. |
| department | department | Suggests default project membership. |
| groups[].value | role | Group name pattern orvine-<role> maps to role. |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value | manager_email | Enables ramp manager dashboards. |
Group-to-role mapping
Create groups in your IdP named orvine-owner, orvine-admin, orvine-curator, orvine-contributor, orvine-viewer. Membership pushes are honored on every SCIM PATCH. If a user appears in multiple Orvine groups, the highest-privilege wins.
Deprovisioning behavior
Setting active=false immediately revokes sessions, API keys created by that user, and membership in all projects. Their authored content is retained; ownership of SOPs and entities is reassigned to the role's fallback owner if one is configured. After 30 days, the account is hard-deleted unless re-activated.
SCIM will reject any operation that would leave the workspace with zero Owners. Transfer ownership first.