Skip to content
  • There are no suggestions because the search field is empty.

Single Sign-On (SSO) and SCIM Provisioning on the Enterprise plan

Learn how to manage user access and automate user provisioning for your organization's You.com enterprise plan using SSO and SCIM.

Prerequisites

  • Enterprise plan subscription
  • Identity Provider (IdP) configured for your organization
  • Administrative access to your organization's IdP
  • Domain ownership verification completed

Overview

This guide explains how Single Sign-On (SSO) and System for Cross-domain Identity Management (SCIM) work together to provide secure access management and automated user provisioning for your You.com enterprise deployment.

Key Benefits

  • Centralized access management through your IdP
  • Automated user provisioning and deprovisioning
  • Enhanced security with SSO authentication
  • Simplified user lifecycle management
  • Efficient license utilization tracking

Getting Started

Understanding SSO Implementation

SSO enables your organization to:
  • Control access to You.com through your existing IdP
  • Enforce SSO logins for all users with your organization's email domain(s)
  • Automatically provision new users through just-in-time provisioning

Understanding SCIM Integration

SCIM provides:
  • Automated user account creation and management
  • Synchronized user updates between your IdP and You.com
  • Automated deprovisioning of departed employees

Step-by-Step Guide

1. Limiting Access with SSO

  1. Identify the groups or users who need You.com access
  2. Assign selected groups/users to the You.com app in your IdP
  3. Verify that only assigned users can authenticate
💡 Tip: To limit access to a specific number of users (e.g., 100 users), simply ensure that the total number of users assigned to the You.com app in your IdP matches your desired limit.

2. Managing Users with SCIM

Provisioning Users

  1. Assign users/groups to the You.com app in your IdP
  2. SCIM automatically adds users to your You.com plan
  3. Updates are pushed via SCIM to maintain synchronization

Deprovisioning Users

Users can be deprovisioned in two ways:
  1. Unassigning from the You.com app
  2. Removing from the organization's IdP
Note: Deprovisioned users are marked as "Disabled" rather than deleted to preserve data and maintain records.

Best Practices

  • Regularly audit user assignments in your IdP
  • Use groups for easier management of user access
  • Maintain clear documentation of assigned groups
  • Monitor provisioning logs for any errors
 

Troubleshooting

Common Issues

  • Users unable to log in: Verify IdP group assignments
  • Users not automatically provisioned: Check SCIM configuration
  • Deprovisioned users still appearing: Confirm SCIM sync status
⚠️ Warning: Deleting disabled users will permanently remove access to their chats, agents, projects, and other resources. Consider carefully before performing permanent deletions.