Phonemos User Guide

Automated User Provisioning (SCIM)

Phonemos supports automated user and group provisioning via SCIM 2.0 (System for Cross-domain Identity Management). This allows your organization to manage Phonemos users and groups directly from your Identity Provider (IdP) — without manual administration in Phonemos.

What SCIM Does

Once SCIM is enabled, your IdP becomes the single source of truth for users and groups. Changes made in the IdP are automatically synchronized to Phonemos:

  • New employees are automatically created as Phonemos users when added to the IdP.

  • User profiles (name, email) are kept in sync with the IdP.

  • Deactivated or deleted users in the IdP are automatically disabled or removed in Phonemos.

  • Groups and their memberships are synchronized, enabling role-based access control in Phonemos.

SCIM must be enabled by your Phonemos provider. Contact them to request activation and to receive the SCIM endpoint URL and bearer token needed for your IdP configuration.

Supported Identity Providers

Any IdP that supports SCIM 2.0 can be connected. Common examples:

  • Microsoft Entra ID (Azure AD)

  • Okta

  • OneLogin

  • JumpCloud

  • Any other SCIM 2.0-compliant IdP

Configuring Your Identity Provider

To connect your IdP to Phonemos, you need two values provided by your Phonemos provider:

  • SCIM Endpoint URL — the address your IdP will send provisioning requests to

  • Bearer Token — the secret used to authenticate your IdP with Phonemos

The exact steps differ by IdP. Below are guides for the most common ones.

Microsoft Entra ID (Azure AD)

  1. In the Azure Portal, go to Azure Active Directory → Enterprise Applications.

  2. Select your Phonemos application (or create a new one if not already set up for SSO).

  3. Open Provisioning and set the Provisioning Mode to Automatic.

  4. Under Admin Credentials, enter the SCIM Endpoint URL and Bearer Token provided by your Phonemos provider. The endpoint url must be https://<hostname>/_api/scim/v2

  5. Click Test Connection to verify, then save.

  6. Under Mappings, configure which users and groups to provision to Phonemos.

  7. In the Attribute Mappings only keep (it’s important to remove all others):

    • userName

    • active

    • displayName

    • email[type eq “work”]

    • preferredLanguage

    • name.givenName

    • name.familyName

    • name.formatted

  8. Set the provisioning status to On to start synchronization.

Okta

  1. In the Okta Admin Console, go to Applications and open your Phonemos app.

  2. Navigate to the Provisioning tab and click Configure API Integration.

  3. Enable Enable API integration and enter the SCIM Endpoint URL and Bearer Token.

  4. Click Test API Credentials and save.

  5. Under To App settings, enable Create Users, Update User Attributes, and Deactivate Users as needed.

  6. Assign users and groups to the application to trigger provisioning.

What Gets Synchronized

Users

The following user attributes are synchronized from your IdP to Phonemos:

  • Email address (used as the login username)

  • First and last name

  • Active / inactive status

  • Group memberships

Groups

Groups provisioned via SCIM appear in Phonemos and can be used to assign permissions to topics, zones, and pages. Group membership is kept in sync: adding or removing a user from a group in your IdP is reflected in Phonemos automatically.

Important Considerations

  • When SCIM is active, user management and group assignment should happen in your IdP, not in Keycloak. Changes in Keycloak will be overwritten.

  • Deactivating a user in the IdP will disable their Phonemos access, but the content they contributed to Phonemos will remain in place. Consider implementing a user rename to anonymise them.

  • The bearer token is a sensitive credential — treat it like a password and do not share it.

  • Provisioning may not be instant; most IdPs sync on a schedule (e.g., every 40 minutes for Azure AD) or allow triggering a manual sync.