Managing user licenses via SCIM


With the SCIM integration, Zefort administrators can maintain Zefort users and user groups in the identity provider (“IdP”) used in your organization, such as Azure AD or Okta.

Map the IdP user groups with licenses and SCIM will automatically create and maintain the users and their licenses in Zefort. If you make changes (e.g. name changes) in your IdP, they will automatically be reflected in Zefort.

zefort scim integrations

Mapping IdP groups with Zefort licenses

  1. Go to Account settings and open Integrations.
  2. Activate new or configure existing SCIM integration. See more detailed instructions here.
  3. Select the desired license and map it with group from your IdP.

zefort scim provisioning

Example

zefort scim mapping example

Let’s assume that you have a group in IdP named “Paralegals” which you want to be automatically created in Zefort as well. With Zefort’s SCIM integration, you can map the “Paralegals” group to a specific license, such as Editors, for example. When you add new people to the “Paralegals” group in your IdP, SCIM will automatically add the new user with an editor license in Zefort.

Further, let’s assume that you also have a “Managers” group which is mapped to the “Admin” license. In this case users in that group will get the admin license in Zefort. If a user is in both “Paralegals” and “Managers” groups, they will get the highest license level among the groups, which in this case is admin license.

If a user is in both groups and then removed from the “Managers” group, their license level will be automatically adjusted to the highest available license level, which would be “Editors” in our example above, since the user is still a member of the group “Paralegals”.

You can also set a default license for the users that don’t belong to any of the group mappings. In our example, group “Auditors” doesn’t have any mapping in SCIM integration. Group members will get the license that has been set as default, which is “Viewer” in this case. Note that the default user group is only used when the user is first provisioned, so changing the default license group will not impact existing users.

Note: If you remove an IdP group or remove the license mapping, you might end up in a situation where some users don’t belong to any group. In this case, users will keep the same user license that they had before removing the group or mapping.