Persona logoPersona Help Center
ArticlesCommunityAcademyDeveloper DocsSystem Status
Menu icon

Articles

Getting started
Solutions
Inquiries
Verifications
Accounts
Transactions
Reports
Cases
Workflows
Graph
Marketplace and 3rd-Party Integrations
Other Platform Products
Admin
Team and permissions
Security and Privacy
Overview
SSO and Authentication
Managing Data
FAQ
Fraud Considerations
For end users

Get help now

Submit a request
Admin
Security and Privacy
SSO and Authentication

Setting up Microsoft Entra SCIM

Overview

SCIM (System for Cross-domain Identity Management) is a standard for managing user and group provisioning in an Identity Provider (IdP), ensuring that updates to users and groups are reflected in any relying parties, such as Persona. Persona supports some SCIM functionality for customers using Entra as their IdP.

⚠️ An important piece of background: groups in SCIM refer to roles in Persona. To implement SCIM, SSO will need to be established.

High-Level Steps to Enable SCIM Provisioning for a Persona Organization:

  1. Enable SCIM Provisioning
  2. Configure the SCIM integration
  3. Import users and groups from Persona.
  4. Provision Users & Groups

Availability

SCIM is available on Growth and Enterprise plans.

Prerequisite

SCIM is a highly sensitive feature, and API keys do not have SCIM permissions enabled by default. Persona recommends creating a dedicated API key (distinct from the one used for general calls to persona-web) for SCIM purposes.

Creating an API Key

  1. Navigate to your Persona Dashboard > API.
  2. Create a new API key via + Create API key.
  3. Once you’ve provided a name and description of the new API Key, you’ll be dropped in the configuration of the newly created API key.
  4. Select the Permissions tab, expand the API drop-down, and check the checkbox for Use API Key for SCIM Click on Save, and keep this in mind as we’ll need the API key for SCIM integration.
⚠️ This is important! API keys do not have the SCIM permission set up by default. If you’re seeing ApplicationController::Unauthorized when setting up SCIM, double check that this permission is enabled.

Enabling SCIM Provisioning

  1. Log in to your Entra Admin Dashboard and navigate to the application you have pervious set up for the Persona SAML integration. For the purpose of this guide, we’ll refer to it as, Persona Application.
  2. Once you’ve selected the Persona Application, go to the Provisioning tab, or step Provision User Accounts

Configuring the SCIM Integration

  1. Click on Connect your application
  2. For Tenant URL, enter https://withpersona.com/scim/v2.
  3. For Secret Token, fetch the Persona SCIM API Key created in the prerequisite step and paste in the value.
  4. Click Test Connection to ensure the connection is successful.
  5. Confirmed that you see a successful ✅ Provisioning test connection. You can close this steps now.

Provisioning Users & Groups

Once the SCIM configuration is connected, we need to map the Users and groups. High-level steps are:

  • Create Persona Roles in Entra Groups
  • Remap Application with Groups

Create Persona Roles in Entra Groups

  1. Navigate to Groups > Overview.
  2. Click on New group.
  3. Navigate to Users and groups section.
  4. Click on Add user/group, and add all the Persona Roles as Groups in Entra.
  5. Once the Groups are created, add the desired Users into the respective Entra Groups.
⚠️ Make sure that Entra Groups name matches exactly to the name in Persona Roles.

Remap Application with Groups instead of Users

  1. Navigate to back to the application in Enabling SCIM Provisioning section
  2. Click on Assign Users and Groups tile, or navigate to the Users and Groups Section
  3. Click on Add user/group, and add the Groups that match the Persona roles
  4. Go back to Overview (Preview), click on ▷ Start Provisioning
  5. Wait until provision is finished and you are done!
⚠️ You can always check the Provisioning logs for result and logs.

Related articles

SAML-based single sign-on (SSO) with Azure for Persona Dashboard
How do I control the different authorization and roles programmatically from my authorization provider?
How do I enable employees to access multiple Persona organizations configured with Okta single sign-on?