---
title: "Set Up SCIM and Domain Restriction in Pigment for Identity Management"
slug: "manage-scim-domain-restriction"
description: "Use SCIM and domain restrictions in Pigment to manage identity, automate provisioning, and control member access across your Workspace securely."
updated: 2026-06-08T13:32:57Z
published: 2026-06-08T13:32:57Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.pigment.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Work With System for Cross-Domain Identity Management (SCIM) and Domain Restriction

![](https://cdn.document360.io/e47cfe35-dc28-40c7-a083-6cf003073d8e/Images/Documentation/6bc0f48a-1b28-4e27-80bd-e9cabdd36585.png)

Pigment offers various options to control which Members you want to add when preparing to invite them to your Workspace. This article explains how to use and configure identity and provisioning settings for System for Cross-domain Identity Management (SCIM), and email domain restriction settings.

## What identity and provisioning settings are available?

Three different options are available to you:

- **Restricting domains.** This allows Security Admins to control which email domains can be invited into a Workspace.
- **Single Sign-on (SSO).** This lets Members sign in through their own identity provider. For more information, see [Configure Single Sign-On (SSO) with Pigment](/v1/docs/configure-single-sign-on-sso-pigment).
- **SCIM provisioning.**This is used to systematically manage Members through an identity provider’s directory.

## Set up domain restrictions

> [!WARNING]
> **⚠️ Important**
> 
> To configure email domain restriction, you need a Security Admin account type.
> 
> This setting only impacts new invitations to the Workspace, and doesn’t impact existing Workspace Members.

To set up domain restrictions, and to authorize specific domains in your Workspace, do the following:

1. In the Workspace Settings, Select **Members management**.
2. Select **More options** and then **Identity & provisioning settings.**
3. Toggle on **Restrict domains**.
4. Select **+ Add domain**to add each new domains you want to authorize. This opens the **Add a new email domain** pane.

> [!NOTE]
> **ℹ️ Note**
> 
> The Pigment Support email account, [support@pigment.com](mailto:support@gopigment.com), by-passes the authorized domains list.
5. Enter the domain name and Select **Add domain**. The format you enter is the domain name. For example, if you want to add a Member whose email is joe@pigment.com, you enter the domain: pigment.com
6. *(Optional)*To remove an authorized domain, select the Delete icon listed beside it.
7. When you’ve entered the required domain names, Select **Done**.

## What is SCIM?

SCIM is an industry standard to provide cross-provider identity management. It defines a standard schema of user attributes, ensuring all services processing a SCIM request can consistently interpret the data and understand how to use the provided values.

## How does SCIM integrate with Pigment?

Pigment leverages SCIM to enable our customers' IT teams to manage Member access directly through their identity provider solution:

- Create or invite new Members in Pigment
- Update a Member’s name
- Deactivate a Member
- Reactivate a deactivated Member
- Find and list Members in Pigment using their email address

We do not support provisioning of Pigment user-groups, nor any specific Role attribution for users yet.

> [!CAUTION]
> **🛡️ Warning**
> 
> When SCIM is enabled, Member management moves entirely to your identity provider. This means you can no longer manually invite or deactivate Members directly within Pigment. Instead, all Member provisioning, updates, and deactivations need to be handled through your identity provider.

## Set up SCIM provisioning in Pigment

### Before you begin

To set up SCIM for your Pigment Workspace, check the following:

- You have already configured SAML SSO with your identity provider for Pigment.
- Your identity provider must support **SAML 2.0 with a Core User Schema**.
- You must have Security Admin access to Pigment.

> [!NOTE]
> ℹ️ **Note**
> 
> In some Identity Providers (IdPs), users assigned individually to an application may not be deprovisioned when removed from a group. To ensure proper SCIM deprovisioning, all users should be assigned through groups rather than on an individual basis. Some IdPs offer an option to convert individual assignments to group-based assignments if needed. Check your IdP’s documentation for specific details.

### **Supported Identity Providers**

Pigment’s automatic provisioning can be used with any identity provider which supports SCIM for user management. We provide guidelines for setting up SCIM with these identity providers:

- Okta
- OneLogin
- Microsoft Entra ID

If your identity provider supports SCIM provisioning but is not listed above, reach out to Pigment Support team for assistance.

## Enable SCIM and generate an API Token

The first step in setting up SCIM with Pigment is to enable the SCIM setting and generate an API token within Pigment's Identity & Provisioning settings.

1. In the Workspace Settings, Select **Members management**.
2. Select **More options** and then **Identity & provisioning settings.**
3. Review the **Single Sign-On** status. If this is not activated, contact Pigment Support.
4. Toggle on **SCIM Provisioning.**
5. Select **+ Add token** to generate a new API token.
6. Choose an expiration based on your security policies
7. Make a note of the generated URL and API token. These are both required by your identity provider.

> [!WARNING]
> ⚠️ Important
> 
> API Tokens are private to the Workspace rather than the Member who created them. This means that even if the Member who generated the token is deactivated, the token remains valid until its designated expiration date.
> 
> Multiple tokens can be created and active at the same time, for rotation purposes.
> 
> Tokens can be revoked at any time using the **Delete**button. However, before revoking a token, ensure it’s no longer used by your identity provider.

## Setup SCIM in the Identity Provider

The next step to setting up SCIM with Pigment is to setup your identity provider with the generated URL and API token.

### Okta

> [!WARNING]
> ⚠️**Important**
> 
> There is no preconfigured Pigment integration in the Okta Integration Network at the moment. If Okta is your identity provider and you need help setting up SCIM, contact Pigment Support.

Here’s how to manually set up SCIM in Okta with your generated API token and URL:

1. Log in to Admin panel in Okta.
2. Open the **Applications** menu and review the details for your Pigment **SAML 2.0 Application.**
3. In the **General** tab, select the **Enable SCIM Provisioning** check box.
4. In the **Provisioning** tab, Select **Integration**, and then **SCIM Connection.**
5. Select **Edit**and update the following fields:

- **SCIM connector base URL.**Enter the API URL you generated in Pigment.
- **Unique identifier.**Enter the user name.
- **Supported provisioning actions.** Select **Push New Users** and **Push Profile Updates**options.
- **Authentication.** Select **HTTP Header**
- **HTTP Header Authorization.** Enter the API token you generated in Pigment.

1. Select **Test Connector Configuration**to confirm if the connection works successfully.
2. Select **Save.**
3. Go to the **Provisioning** tab located in the **To App** Settings panel, and Select **Edit**.
4. Select the following:
  - **Create Users**
  - **Update User Attributes**
  - **Deactivate Users**
5. Select **Save.**The SCIM integration is now complete.

Any Members assigned to the Okta application are now created in Pigment.

### OneLogin

Here’s how to manually set up SCIM in OneLogin with your generated API token and URL:

1. Log in to the OneLogin’s Admin panel and open the applications list.
2. If you already have a SAML application for Pigment, ensure it can support a SCIM v2 Core configuration. Otherwise, Select on **Add App** and select **SCIM Provisioner with SAML (SCIM v2 Core)** to create a new one.
3. In the Application **Configuration** section:

- **SCIM Base URL.**Enter the API URL you generated in Pigment.
- **Custom Headers.**These fields should remain empty.
- **SCIM Bearer Token.**Enter the API token you generated in Pigment.
- **SCIM JSON Template.** Use the following code:

```json
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "{$user.email}",
  "userName": "{$user.email}",
  "displayName": "{$user.display_name}",
  "name": {
    "givenName": "{$user.firstname}",
    "familyName": "{$user.lastname}"
  },
  "emails": [
    {
      "value": "{$user.email}",
      "primary": true,
      "type": "work"
    }
  ]
}
```

1. Select **Enable**.
2. In the **Provisioning** menu:
  - You can now enable provisioning and select which operations require an approval.
  - When users are deleted or suspended in OneLogin, you can choose to delete or suspend them. The operations are identical in Pigment, deleted Members are not suspended for historical purposes.

1. Select **Save.**

### Microsoft Entra ID

Here’s how to manually set up SCIM in Microsoft Entra ID with your generated API token and URL:

1. Login to the Azure Portal and open your Microsoft Entra Directory.
2. Select **Enterprise applications**.

> [!NOTE]
> ℹ️ **Note**
> 
> If you already have a SAML Application set up for Pigment, select it and go to the application overview in step 5.
3. Select **New Application** and then **Create your own application**.
4. In the Application creation sidebar, enter ‘Pigment’ as the name, then select **Create**.
5. In the Application overview screen, go to **Provisioning**, then select **Get started**.
6. Complete the following fields:
  1. **Provisioning mode.** Select **Automatic** from the menu.
  2. **Tenant URL.** Enter the API URL you generated in Pigment.
  3. **Secret Token.**Enter the API token you generated in Pigment.
7. Test the connection.
8. If the connection is successful, Select **Save**.

#### Mapping Attributes

Below are the mappings to use between the Entra ID attributes and Pigment on the provisioning page. To use them, open the Mappings section and modify how the values in Microsoft Entra ID correspond to the attributes in Pigment. For more information, see [User Attributes Mapping](/v1/docs/manage-scim-domain-restriction).

Be sure to set the `active` attribute to `Switch([IsSoftDeleted], , "False", "True", "True", "False")` (it should be there by default), as this is the way Microsoft Entra supports deprovisioning users.

#### How to enable Microsoft Entra ID provisioning

If Microsoft Entra ID provisioning is unavailable initially, here’s how you enable it:

1. Go to the **Enterprise Application's Provisioning Overview** page. Provisioning displays a status of unavailable.
2. Select **Start Provisioning**, or alternatively select **Provision on Demand** to sync a specific user or group immediately. This is useful if you need to perform a test in advance of a full sync.
3. Go to the **Provisioning**section and set the **Provisioning Status** to **on**. This enables automatic user management for this enterprise application. The SCIM integration is now complete.

Entra ID manages user creation, updates, and deactivations within Pigment based on changes in the app assignment scope inside Entra ID.

## SCIM-managed email updates

Pigment supports updating a user’s email address through SCIM, provided that the new email address belongs to one of the domains configured for the Workspace.

Email changes must be sent as a full SCIM user update, using `PUT /Users/{id}`.

> [!NOTE]
> ℹ️ Note
> 
> Partial SCIM updates using PATCH are not supported for email address changes.
> 
> For example, some IdPs, such as Microsoft Entra ID, may send a SCIM PATCH / PartialUpdate request that attempts to update the user’s email address using the following path: `emails[type eq "work"].value`
> 
> In Pigment’s SCIM implementation, PATCH updates currently support only a limited set of user attributes:
> 
> - `active`
> - `displayName`
> - `name.formatted`
> 
> As a result, a PATCH request attempting to update the email address is effectively dropped, and the email change does not persist.

## User Attributes Mapping

Pigment requires and maps the following SCIM User Attributes:

- `userName`. The Member’s login email. For example: [john.doe@example.com](mailto:john.doe@example.com)
- `displayName`. The full display name for the user. For example: John Doe

The SCIM standard holds attributes for many more fields, such as job title, phone numbers, and so on. However, these are not part of Pigment’s user profile. Any extra data sent in addition to the required fields noted above are ignored and not stored.

## Provision Members on multiple Workspaces

Some clients use multiple Workspaces, such as for Test & Deploy environments or to separate business units. These clients can provision Members on multiple Workspaces direct from their identity provider, instead of from Pigment. Simply do as follows for each business unit or environment in your set-up:

1. You need one application in your IdP for SAML SSO login (used for all Pigment Workspaces).
2. Don’t turn on SCIM in your SAML SSO app. If you do, users may need to be assigned to multiple apps just to log in. Keeping SSO and SCIM separate makes login simple and provisioning accurate.
3. Then in your identity provider, create a separate application for SCIM for each individual Pigment Workspace.
4. Give it a descriptive name, based on the business context: “Pigment-LatAm” or “Pigment-DevEnv” for example.
5. In Pigment, generate a new SCIM API key using the guidance [above](/v1/docs/manage-scim-domain-restriction#enable-scim-and-generate-an-api-token).
6. Use it in that IdP application only.