Single Sign-On (SSO) and SCIM Provisioning on the Enterprise plan
Learn how to manage user access and automate user provisioning for your organization's You.com enterprise plan using SSO and SCIM.
Prerequisites
- Enterprise plan subscription
- Identity Provider (IdP) configured for your organization
- Administrative access to your organization's IdP
- Domain ownership verification completed
Overview
This guide explains how Single Sign-On (SSO) and System for Cross-domain Identity Management (SCIM) work together to provide secure access management and automated user provisioning for your You.com enterprise deployment.Key Benefits
- Centralized access management through your IdP
- Automated user provisioning and deprovisioning
- Enhanced security with SSO authentication
- Simplified user lifecycle management
- Efficient license utilization tracking
Getting Started
Understanding SSO Implementation
SSO enables your organization to:- Control access to You.com through your existing IdP
- Enforce SSO logins for all users with your organization's email domain(s)
- Automatically provision new users through just-in-time provisioning
Understanding SCIM Integration
SCIM provides:- Automated user account creation and management
- Synchronized user updates between your IdP and You.com
- Automated deprovisioning of departed employees
Step-by-Step Guide
1. Limiting Access with SSO
- Identify the groups or users who need You.com access
- Assign selected groups/users to the You.com app in your IdP
- Verify that only assigned users can authenticate
💡 Tip: To limit access to a specific number of users (e.g., 100 users), simply ensure that the total number of users assigned to the You.com app in your IdP matches your desired limit.
2. Managing Users with SCIM
Provisioning Users
- Assign users/groups to the You.com app in your IdP
- SCIM automatically adds users to your You.com plan
- Updates are pushed via SCIM to maintain synchronization
Deprovisioning Users
Users can be deprovisioned in two ways:- Unassigning from the You.com app
- Removing from the organization's IdP
Note: Deprovisioned users are marked as "Disabled" rather than deleted to preserve data and maintain records.
Best Practices
- Regularly audit user assignments in your IdP
- Use groups for easier management of user access
- Maintain clear documentation of assigned groups
- Monitor provisioning logs for any errors
Troubleshooting
Common Issues
- Users unable to log in: Verify IdP group assignments
- Users not automatically provisioned: Check SCIM configuration
- Deprovisioned users still appearing: Confirm SCIM sync status
⚠️ Warning: Deleting disabled users will permanently remove access to their chats, agents, projects, and other resources. Consider carefully before performing permanent deletions.