Skip to main content
All CollectionsIntegrationsSingle sign on (SSO)
SCIM user provisioning and de-provisioning
SCIM user provisioning and de-provisioning

Easily provision and manage users and groups in Go1 with the System for Cross-domain Identity Management (SCIM) API standard

Updated over 3 months ago

If you’re an Administrator on Go1, you can provision and manage users and groups in your Go1 portal with SCIM.

When SCIM is configured with your Identity Provider, people in your organization will automatically get a Go1 user account provisioned. It will also keep your members in sync by adding new users to your Go1 portal and removing people that have left your organization.

What you can do using SCIM with Go1

User provisioning and management:

  • Create and remove users in your portal

  • Update a user’s profile information including their access level (role)

  • Assign or update a user’s manager (Not supported when using Azure AD)

Group provisioning and management:

  • Create Go1 groups from Okta permission groups

  • Add and remove members in a group based on Okta permission groups

For advanced users, please see our developer documentation on the SCIM endpoint for more information.

How to set up provisioning with SCIM

We currently support Okta, Azure and custom SCIM applications.

Configure your identity provider using the guide below.

For other identity providers, please refer to their respective documentation on how to complete this step.

Prerequisites for SCIM with Go1

  • Only an Administrator can configure SCIM for a Go1 portal, and you will need administrator access to your chosen identity provider

  • If you want to use SCIM to modify a user's email address, you must be an Administrator on all portals that user is a member of


Okta SCIM configuration

Go1's Okta SCIM integration supports the following:

  • Create and remove Go1 users

  • Create Go1 groups from Okta permission groups

  • Add and remove members in a group based on Okta permission groups

  • Keep user attributes synchronized between Okta and Go1, including name, email addresses and permissions

  • Users created in Go1 can be provisioned into Okta (matched against existing Okta users or created as new users)

  • Groups created in Go1 can be imported into Okta

Step 1: Add Go1 SCIM app to Okta

  1. Log in to your Okta Admin Console and click on Applications

  2. Click to Browse App Catalog and search for Go1

  3. Click + Add integration to install the Go1 SCIM app to your Okta instance and follow the setup wizard

Step 2: Configure Go1 SCIM app

  1. In the Go1 SCIM app, select the Provisioning tab and click Configure API integration

  2. Select the checkbox to Enable API integration

  3. Click to Authenticate with Go1 which will trigger an authorisation

  4. Enter your Go1 email address and password and follow the prompts to authorize Okta to access your Go1 users and groups

  5. After you’ve successfully authenticated, click Save

Step 3: Enable provisioning

  1. Under the Provisioning tab, click on To App from the side menu.

  2. Click to Edit and select the checkboxes to enable Okta to Create users, update user attributes and deactivate users in Go1. Click Save.

    The Go1 app will have the required minimum fields configured as shown in the below image:

An image of the attribute table from Okta showing the mapped attributes user name, given name, family name, email, manager value, manager display name and roles.

To map additional fields, follow these Okta instructions.

Okta SCIM troubleshooting

The View Logs page can be useful for viewing what SCIM actions are being run. For each user update there should be two corresponding logs: one for the change being made in Okta, and one to show the change was pushed to the Go1 app.


Ensure the roles assigned to users comply with Go1's permissions here.

Users cannot have both Administrator and Content Administrator roles; in these cases only the Content Administrator role will be applied.

Azure AD / Entra ID SCIM configuration

Go1's Azure SCIM integration supports the following provisioning features:

  • Create users

  • Remove users

  • Keep user attributes synchronized between Azure AD and Go1, including name, email addresses and permissions

Step 1: Generate an API token in Go1

  1. In your Go1 account, select Integrations and then Developers, under the main menu in the top right.

  2. Click + Create app to create a new private oAuth application. Choose a name and redirect URI for your app and click to Create application

  3. Use the generated client id and client secret to obtain Go1 access token using this auth endpoint https://www.go1.com/developers/api/reference/auth#tag/Authorization/paths/~1oauth~1token/post

NOTE: any grant type can be used, but when not using client credentials you must specify what scope you require scope=user.read user.write group.read group.write. For advanced users, more information in our developer documentation.

This API token is valid for twelve hours so will need to be regularly replaced

Step 2: Create an Enterprise Application in Azure AD / Entra ID

  1. In your Azure Portal, go to Azure Active Directory.

  2. Under the Manage section, click on Enterprise applications.

  3. Click the + New application button and choose Create your own application.

  4. Give your application a name, select the Integrate any other application you don't find in the gallery (Non-gallery) option, and click the Create button.

Step 3: Configure automatic user provisioning in Azure AD / Entra ID

  1. In the Azure app created, select the Provisioning tab.

  2. Set the Provisioning Mode to Automatic.

  3. Under the Admin Credentials section, input the following:

    1. Tenant URL: https://gateway.go1.com/version/2022-07-01/scim

    2. Secret token: API Token generated in step 1

  4. Click Test Connection to ensure Azure AD can connect to Go1. If the connection fails, ensure your Go1 account has Admin permissions and try again. Once the connection test is successful, at the top of the settings window click Save.

Step 4: Configure attribute mappings

  1. Under the Mappings, select Provision Azure Active Directory/ Entra ID Users.

  2. Under the Target Object Actions, make sure to only select Create and Update.

  3. Under Attribute Mappings, configure them as shown in this image:

    An image of the attribute table from Azure AD/Entra ID showing the mapped attributes objectId, Switch, user Principal name, mal, given name, surname and manager.


  4. To enable the Azure AD provisioning service for Go1, change the Provisioning Status to On in the Settings section.

  5. Define the users and/or groups that you would like to provision to Go1 under Users and Groups by clicking + Add user

  6. When you're ready to provision, click Save. This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

Azure AD / Entra ID SCIM troubleshooting

  1. In the Azure app, from the sidebar, go to the Monitor section.

  2. Select Provisioning logs to see what SCIM actions have been run.

Azure AD SCIM troubleshooting


Azure AD / Entra ID's provisioning cycle generally runs every 40 minutes. So there may be delays in propagating the changes in your Active Directory to relevant users and groups in Go1.

Did this answer your question?