SCIM provisioning

SCIM (System for Cross-domain Identity Management) lets your IdP push user and Group changes into Agent Handler automatically. When you add someone to an Okta Group, they appear in Agent Handler. When you remove them, their access ends - no manual cleanup, no orphaned accounts.

SCIM is part of the Agent Handler for Employees setup, and it’s how Registered Users get created: your IdP provisions each employee once, and they get both a dashboard user and a Registered User. It sits on top of SSO, which authenticates members while SCIM provisions them. Turn on SSO first, then layer SCIM on top.

Setting up SCIM

Open the Provisioning tab.
Click Enable SCIM. Agent Handler generates a SCIM token and a base URL.
Copy both - you’ll paste them into your IdP next.
In your IdP, add Agent Handler as a SCIM target with these credentials. The setup wording differs by IdP; the values are always the same:
- SCIM base URL: the URL Agent Handler showed you, of the form https://ah-api.merge.dev/scim/v2/.
- Bearer token: the SCIM token Agent Handler generated.
- Provisioning method: push (Okta), automatic (Azure AD).
Configure attribute mappings in your IdP - see per-IdP notes below.
Provision a test user from your IdP. Within a minute or two, they should appear in Settings → Members.

Test thoroughly before turning on enforcement. SCIM misconfigurations can lock out your whole team if you flip “require SSO + SCIM” prematurely.

Per-IdP setup

Okta

Azure AD / Entra ID

Other SCIM-capable IdPs

Okta Admin Console → your Agent Handler SSO application → Provisioning → Configure API Integration.
Check Enable API integration.
Base URL: paste from Agent Handler.
API token: paste the SCIM token.
Click Test API Credentials - Okta verifies the connection.
Save.
Under Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users.
Map attributes - email, given name, family name at minimum.
Assign Okta Groups to the application; their members get pushed into Agent Handler.
Push Groups: Provisioning → Push Groups, select the Groups you want synced.

Mapping IdP Groups to roles and tools

Once Groups sync in, you assign each one a dashboard role and tool access from Manage access → Group access, and set a baseline for everyone under Default access. Users in multiple Groups get the highest dashboard role and the most permissive tool access across them. See Managing tool access for the full model.

Deprovisioning

The contract: when a user is removed from your IdP (or removed from the Agent Handler-bound Group in your IdP), Agent Handler:

Marks the dashboard user as deactivated. They can no longer log in.
Deactivates the linked Registered User. All their stored credentials are revoked. Active OAuth tokens for the MCP URL are invalidated.
Records the deprovisioning event in the Audit Trail.

Audit log entries and tool-call history for the deprovisioned user are retained per your org’s retention policy (default 90 days).

Token rotation

The SCIM token has the same security profile as an API key - anyone with it can create and modify users in your org. Rotate yearly or on any suspicion of leak.

To rotate: in the Provisioning tab, click Regenerate token. The new token is shown once. Update your IdP’s stored copy before the next sync runs, or the next sync will fail and provisioning will pause.

Common issues

Sync runs but no users appear. Check the IdP’s sync log for error responses from Agent Handler. Most often it’s an attribute mapping issue - the IdP is sending fields Agent Handler doesn’t recognize, or omitting required fields.
Users appear but with the wrong role. Group mappings are set but the user isn’t in the Group, or the IdP isn’t pushing the Group. Confirm Group push is enabled.
Deprovisioning lags. Each IdP runs its own sync schedule. Okta is near-real-time on user removal; Azure runs every ~40 minutes. The Audit Trail records the deprovisioning event whenever it fires.

Add a second factor on every dashboard login with Multi-factor authentication.