Skip to main content
You can use SCIM (System for Cross-domain Identity Management) in incident.io to automatically provision users and manage their permissions.

What does enabling SCIM do?

Without SCIM

By default, without SCIM, incident.io automatically creates users when they join incident Slack channels, or when they sign in to the web dashboard using Slack or SAML. When a user is deactivated in Slack, they’ll be automatically deactivated in incident.io. Without SCIM, you manually grant users additional base roles and custom roles within incident.io. When a new user joins, an owner/admin (or other user with a custom role that can manage permissions) can manually assign that user some additional permissions by going to app.incident.io/~/settings/users. See user roles and permissions for more details.

With SCIM

When SCIM is installed, users are automatically created in incident.io when they are assigned in the application in your identity provider (IdP). If a user is unassigned the application in your IdP, they’ll be deactivated in incident.io. Additionally, user permissions are automatically managed by your identity provider, and are no longer editable in incident.io. This means you don’t have to manually assign roles to new users, and don’t have to manually downgrade users in incident.io if their access levels change in your identity provider. See user roles and permissions for more details.

Installing SCIM

To install SCIM, you’ll need to be an owner in incident.io (or have a custom role that can manage security settings), and have admin permissions in your identity provider.
  1. Go to your user settings, and open the SCIM tab and click the Install button
  1. Choose your identity provider from the list and follow the steps to set up your connection.
We’re enabling providers as we confirm they send appropriate group membership updates. If you see a message saying your provider is not yet supported, contact us at help@incident.io.
  1. Define the relationships between groups in your identity provider and permissions in incident.io. You only need to do this for groups that you’d like to give elevated permissions to, by default, all users are given the ‘Standard’ role. To illustrate this further, here are some examples:
  • I want all people in the Engineers group to have access to incident.io but not have advanced permissions for administrative tasks. I don’t need to define any mapping for this case, as this is the default. The default ‘Standard’ role assigns all new users a ‘Viewer’ seat. Learn more about seat types.
  • I want myself and other Incident Managers to be admins in incident.io, so I add an assignment, choose the Incident Managers Okta group and then assign them the Admin role.
  • I want our IT team to be able to manage SCIM and SAML, so I add an assignment, choose the IT Okta group and then assign them a custom role with the Can manage security settings permission.
You need at least one group assigned the ‘owner’ permissions. If you’re not in that group, or you remove yourself from it, you’ll be locked out of your SCIM settings. If this happens, contact us at help@incident.io.
  1. Confirm your SCIM setup. Once you’ve confirmed this step, we’ll start creating users from SCIM and re-assigning any permissions that no longer line up with what you’ve defined in your SCIM group to role mappings.

FAQs

SCIM is available to customers on our Enterprise plan - for more pricing details, see pricing.
When you install SCIM, we’ll link existing users to SCIM users using their email address. We’ll also update their permissions as defined by the group to role mappings you provide in the SCIM settings page. If a user was previously an admin, and they’re not a member of the groups that are assigned the admin role, they’ll be downgraded to viewers/responders.If a user exists in incident.io but not in SCIM, they’ll retain their existing role and will be marked as ‘Unlinked’ in the user list. If you don’t want these users to have access to the incident.io dashboard at all, we recommend you install SAML too and link that to the same identity provider (e.g. Okta) so that only users who are assigned the incident.io app can access the dashboard.
When you uninstall SCIM, users will be left in their current state. So if you are an Owner, and you uninstall SCIM, you’ll retain that owner role. Users will not be deactivated.
No, once SCIM is installed, it becomes the source of truth for a user’s permissions. If you want to elevate a user’s permissions, you’ll need to add them to an appropriate group in your identity provider.
As our application runs both in Slack and on our web dashboard, it’s possible that a user can be deactivated in Okta, but still be an active member of your organization’s Slack workspace. If this happens, the user will be treated as ‘active’ until they’re deactivated in Slack. If you don’t want this, we recommend you manage your Slack users with the same identity provider set up as you manage your incident.io users.
Yes! Once you have set up SCIM, there’s a section on the configuration page where you can define your on-call seat assignments. This lets you pick groups which are automatically given on-call seats.Once you’ve selected a group for on-call seats, you’ll no longer be able to manually control those group members’ on-call seats - they will be automatically assigned seats. Adding new members to those groups will automatically grant them seats. If a member leaves a group which has been assigned seats, that user will retain their seat until it’s manually revoked.

SAML

We also support SAML, which can be set up independently from SCIM, but can use the same underlying identity provider, such as Okta. See SAML SSO for details.