If you’re an Administrator on Go1, you can provision and manage users and groups in your Go1 portal with SCIM.
When SCIM is configured with your Identity Provider, people in your organization will automatically get a Go1 user account provisioned. It will also keep your members in sync by adding new users to your Go1 portal and removing people that have left your organization.
What you can do using SCIM with Go1
User provisioning and management:
Create and remove users in your portal
Update a user’s profile information including their access level (role)
Assign or update a user’s manager
Group provisioning and management:
Create Go1 groups from Okta permission groups (not supported in Azure)
Add and remove members in a group based on Okta permission groups (not supported in Azure)
For advanced users, please see our developer documentation on the SCIM endpoint for more information.
How to set up provisioning with SCIM
We currently support Okta, Azure and custom SCIM applications via APIs.
Configure your identity provider using the guide below.
For other identity providers, please refer to their respective documentation on how to complete this step.
Prerequisites for SCIM with Go1
Only an Administrator can configure SCIM for a Go1 portal, and you will need administrator access to your chosen identity provider
If you want to use SCIM to modify a user's email address, you must be an Administrator on all portals that user is a member of
If using SCIM APIs, accommodate authentication with portal specific credentials
Supported attributes — SCIM schema reference
For supported SCIM attributes (core user fields, role GUIDs, manager assignments, profile fields, and custom fields), see Supported attributes.
Okta SCIM configuration
Go1's Okta SCIM integration supports the following:
Create and remove Go1 users
Create Go1 groups from Okta permission groups
Add and remove members in a group based on Okta permission groups
Keep user attributes synchronized between Okta and Go1, including name, email addresses and permissions
Users created in Go1 can be provisioned into Okta (matched against existing Okta users or created as new users)
Groups created in Go1 can be imported into Okta
Step 1: Add Go1 SCIM app to Okta
Log in to your Okta Admin Console and click on Applications
Click to Browse App Catalog and search for Go1
Click + Add integration to install the Go1 SCIM app to your Okta instance and follow the setup wizard
Step 2: Configure Go1 SCIM app
In the Go1 SCIM app, select the Provisioning tab and click Configure API integration
Select the checkbox to Enable API integration
Click to Authenticate with Go1 which will trigger an authorisation
Enter your Go1 email address and password and follow the prompts to authorize Okta to access your Go1 users and groups
After you’ve successfully authenticated, click Save
Step 3: Enable provisioning
Under the Provisioning tab, click on To App from the side menu.
Click to Edit and select the checkboxes to enable Okta to Create users, update user attributes and deactivate users in Go1. Click Save.
The Go1 app will have the required minimum fields configured as shown in the below image:
To map additional fields, follow these Okta instructions.
Okta SCIM troubleshooting
The View Logs page can be useful for viewing what SCIM actions are being run. For each user update there should be two corresponding logs: one for the change being made in Okta, and one to show the change was pushed to the Go1 app.
Ensure the roles assigned to users comply with Go1's permissions here.
Users cannot have both Administrator and Content Administrator roles; in these cases only the Content Administrator role will be applied.
Azure AD / Entra ID SCIM configuration
Go1's Azure SCIM integration supports the following provisioning features:
Create users
Remove users
Keep user attributes synchronized between Azure AD and Go1, including name, email addresses and permissions
Manager assignment and removal
Step 1: Create an app in Go1
In your Go1 account, select Integrations and then Developers, under the main menu in the top right.
Click + Create app to create a new private oAuth application. Choose a name and redirect URI for your app and click to Create application
Keep a record of the new Client ID and Secret generated - you will need these in Step 3.
Step 2: Create an Enterprise Application in Azure AD / Entra ID
In your Azure Portal, go to Azure Active Directory.
Under the Manage section, click on Enterprise applications.
Click the + New application button and choose Create your own application.
Give your application a name, select the Integrate any other application you don't find in the gallery (Non-gallery) option, and click the Create button.
Step 3: Configure automatic user provisioning in Azure AD / Entra ID
In the Azure app created, select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, Azure will default the Authentication method to Bearer Token, instead set to OAuth2 Client Credentials Grant and input the following:
Tenant URL:
https://gateway.go1.com/version/2022-07-01/scimClient ID and Secret token: Generated in Step 1
Token Endpoint:
https://auth.go1.com/oauth/token
Click Test Connection to ensure Azure AD can connect to Go1. If the connection fails, ensure your Go1 account has Admin permissions and try again. Once the connection test is successful, at the top of the settings window click Save.
Step 4: Configure attribute mappings
Under the Mappings, select Provision Azure Active Directory/ Entra ID Users.
Under the Target Object Actions, make sure to only select Create and Update.
Under Attribute Mappings, configure them as shown in this image:
NOTE: When first setting up the SCIM user provisioning and de-provisioning connection, it is generally safer to avoid enabling the "delete" action. This prevents accidental mass deactivation of users in Go1 when the attribute mapping is not configured correctly. After verifying that the mapping works correctly, you can enable the delete action to support full lifecycle management.
NOTE : externalId recommendationMapping the IdP's immutable user ObjectID to
externalIdis recommended ifexternal_user_idis not already in use for other purposes (e.g. LMS integrations, reporting). This gives Go1 a stable identifier that remains reliable even if the user's email address changes.
To enable the Azure AD provisioning service for Go1, change the Provisioning Status to On in the Settings section.
Define the users and/or groups that you would like to provision to Go1 under Users and Groups by clicking + Add user
When you're ready to provision, click Save. This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
Azure AD / Entra ID SCIM troubleshooting
In the Azure app, from the sidebar, go to the Monitor section.
Select Provisioning logs to see what SCIM actions have been run.
Azure AD / Entra ID's provisioning cycle generally runs every 40 minutes. So there may be delays in propagating the changes in your Active Directory to relevant users and groups in Go1.
Supported attributes
All attributes listed here are accepted on write (PATCH/PUT) and returned on read (GET) unless noted otherwise.
A machine-readable schema definition is available at https://api.go1.co/scim/Schemas — no authentication required.
Core User — urn:ietf:params:scim:schemas:core:2.0:User
Attribute | Mutability | Notes |
| readWrite | Unique per portal. Used as the login identifier. Typically the user's email address. |
| readWrite | First name. |
| readWrite | Last name. |
| readOnly | Derived from |
| readWrite | Multiple email addresses supported. One must be |
| readWrite | Exactly one primary email required at all times. |
| readWrite | Set to |
| readWrite | e.g. |
| writeOnly | Accepted on creation only. Never returned. |
| readWrite | Maps to |
| readWrite | Role GUID. See role GUID reference below. |
| readOnly | Human-readable role name e.g. |
| readOnly | Group membership is returned but cannot be managed via SCIM users — use the SCIM Groups endpoint instead. |
Role GUIDs
Role GUIDs are static across all portals and environments. Use the GUID in roles[].value when assigning roles.
Role | GUID |
Learner |
|
Manager |
|
Content administrator |
|
Administrator |
|
Manager — urn:ietf:params:scim:schemas:extension:Go1Account:2.0:User
Attribute | Mutability | Notes |
| readWrite | Preferred manager attribute. Array of manager identifiers — each element can be an email address or Go1 account ULID ( |
The enterprise:manager attribute (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) is also accepted for backwards compatibility, but Go1Account:managers is preferred and takes priority when both are present.
Profile fields — urn:ietf:params:scim:schemas:extension:Go1StandardField:2.0:User
Attribute | Notes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ISO 8601 dateTime e.g. |
Custom fields — urn:ietf:params:scim:schemas:extension:Go1AdditionalField:2.0:User
Portal-specific custom fields can be synced using this extension. Use your actual field name in the attribute path — for example:
urn:ietf:params:scim:schemas:extension:Go1AdditionalField:2.0:User:cost_centre urn:ietf:params:scim:schemas:extension:Go1AdditionalField:2.0:User:employee_id
Field write behaviour
Immutable fields — attempting to PATCH id, meta, or name.formatted returns 400 Bad Request.
All other unrecognised fields — silently ignored. The request succeeds and no error is returned. If a field is not being saved, the most likely cause is an incorrect attribute path or extension namespace.