Azure SCIM

Chalk implements SCIM in order to allow external identity providers (IDPs) to automatically provision and deprovision users as they are added and removed from the external identity provider.

​

Supported Features

• IDP-initiated user provisioning
• IDP-initiated user deprovisioning
• IDP-managed group assignment

​

Setup Steps

This guide assumes that an SAML application has been already set up for Chalk. To view the base setup steps, see the Chalk documentation for Entra ID SAML.

​

Enable SCIM in Chalk

1. Navigate to your environment’s settings page
2. Find the Single-Sign On Page on the Settings Sidebar
3. Find the SCIM Tab on the page
4. Generate an SCIM authentication token in your Chalk settings dashboard.

• Important: This token is extremely sensitive and care should be taken to ensure that it is not leaked.

5. Copy the SCIM connector Base URL. For self-hosted planes, this may differ.

​

Set Up SCIM in Entra ID

1. Navigate to your Entra ID admin dashboard, and find (or create) your application.
2. In your application, find the provisioning tab and click on “Connect Your Application”
3. Configure SCIM using:
   • Authentication Method: “Bearer authentication”
   • Tenant URL: https://api.chalk.ai/scim/v2
     • Important: This URL will change if your metadata plane is self-hosted. Confirm your team’s SCIM connector base URL in the Settings > Single Sign-On.
   • Secret token: The token generated in step 4 of the previous section
4. Navigate to “attribute mapping” in the provisioning sidebar
5. Add attribute mappings for users. The following attributes are supported:
   • userName: Use your preferred email attribute
   • active
   • displayName
   • title
   • name.givenName
   • name.familyName
6. Add attribute mappings for groups. The following attributes are supported:
   • displayName
   • members
   • If group syncs do not work as expected, it is potentially due to invalid attribute mappings and recommended to delete mappings down to just these two.