Enabling SCIM in Vanta

  • Updated

Supported features

  • Push new users: New users assigned to the SCIM app in the IdP will be provisioned in Vanta
  • Push user updates: Updates made to the user in the IdP will be pushed to Vanta
  • Push user deactivation: Deactivating the user or removing their assignment to the SCIM app in the IdP will deactivate the user in Vanta
  • Push user reactivation: Reactivating a user in the IdP or reassigning them to the SCIM app in the IdP will reactivate the user in Vanta

Values that are synced through SCIM are user names (first and last), email (primary), and RBAC role.

Enabling SCIM

If you have already connected your IdP, please note:

  • When SCIM is enabled, all users previously provided with the IdP integration will be converted to manually managed

  • After SCIM is set up, any users in your account that match a user in your SCIM app will be converted to SCIM-managed

  • For users you will not manage through SCIM, de-provisioning will have to be manually initiated through the Vanta UI after SCIM is enabled.

 

If you have not already connected your IdP:

If you do not use Vanta for Compliance Monitoring, you do not need to integrate with an IdP to enable SCIM.

  • You will be prompted to connect an IdP or HRIS integration. These integrations allow Vanta to acquire personnel's start dates more accurately, as reflected in the Personnel module.

Configuring SCIM

  • Once your account is ready to proceed with configuring SCIM, you will see a banner inviting you to complete the setup in the Admin Portal.
  • This will take you to WorkOS, which will walk you through the steps to enable a SCIM connection from your IdP to a WorkOS directory synced into Vanta.
  • When you provision users through SCIM, you can automatically control users’ privileged RBAC (role-based access controls) roles from your IdP instead of manually in Vanta.
  • When SCIM is enabled, the User Provisioning section of the Login and Security page has a Roles tab in addition to the Status tab, which provides the role IDs you will need to pass through SCIM.

If you use Vanta for compliance monitoring

  • The list of roles will also include the unprivileged employee role, which provides basic “employee experience” permissions to complete personnel security tasks in Vanta (such as accepting policies, watching security awareness training, etc.).
  • You may provision users with this role without providing a role ID, but depending on your IdP, you may need to explicitly provide it for configuration to work correctly. For example, Azure Entra will not allow you to unset an attribute, so you cannot downgrade a user’s role by clearing it.

If you are not using Vanta for compliance monitoring, you will not see this role, and users provisioned without a role ID will not have access to any part of the Vanta UI.

IdP Instructions

FAQs

How do I know if I’m using Vanta for compliance monitoring?

  • If you are using Vanta for compliance monitoring, the sidebar of your Vanta app will include the Personnel module.
    • Products used without Compliance monitoring include Vendor Risk Management, Trust Center, and Access Reviews 

Which SCIM app should I use?

  • The WorkOS setup guide will explain which SCIM app to use. For now, if you’re using Okta, you must use a custom SCIM app. Once the Vanta OIN app is updated to support SCIM, you should enable SCIM in that app instead of using a custom one. If you’re using Azure and you’ve set up a SAML app, you may add SCIM capabilities to that app.

What happens to existing users in my Vanta account when I enable SCIM?

  • If you had previously been using a Vanta IdP integration to provision users, those users will be converted to be manually managed and can be manually deprovisioned in Vanta. If these users are subsequently provisioned through SCIM, they will become SCIM-managed and will only be de-provisioned when they are de-provisioned through SCIM.

Can users managed through SCIM be edited in Vanta?

  • Fields managed through SCIM can only be updated through your identity provider. This includes the RBAC role, user name, and email address. Fields managed through Vanta (user start date if not sourced from an integration, Vanta groups) continue to be editable in Vanta.

Can SCIM reactivate users in Vanta?

  • Under most circumstances, if a Vanta user has been previously deprovisioned and is reprovisioned through SCIM, that user will be reactivated. The exception is in cases where Vanta cannot uniquely determine the user to reactivate—if multiple inactive users match the email address and none match the IdP ID of the SCIM user, Vanta will opt to create a new user rather than risk an incorrect reactivation.

Can SCIM assign users to groups in Vanta?

  • *Note: Groups in Vanta are a feature of the Personnel module.
  • Not at this time. However, using an IdP integration, user groups can be synced into Vanta. Otherwise, groups can be assigned manually in Vanta.

What happens if I delete a SCIM user in my IdP?

  • If you remove a user's access to Vanta from your IdP or deactivate their account in the IdP, the user will be deprovisioned in Vanta. SCIM users must be deprovisioned from the IdP.

Can I use SCIM to manage privileged user accounts (e.g., Admins, Editors) and the IdP integration to manage Employee accounts?

  • No. Once you enable SCIM, the IdP integration will be turned into non-provisioning mode. While any existing users created via the IdP integration that were not converted to SCIM will still exist in Vanta, they will become “manual” users, meaning the IdP integration will no longer update their employee status. We strongly encourage customers using SCIM to manage all their users via SCIM

Troubleshooting

  • To validate that users are synced correctly, view them in the Vanta UI.
  • Privileged users and their roles will appear in Settings under User permissions.
  • If you have the Personnel module, all users will appear under Personnel, on the People page.
  • Any users who appear only on the People page and not on User permissions have basic access to Vanta.

  • If you have changed your IdP and do not see it reflected in Vanta, check Settings, Login and Security, and then User Provisioning section for errors.
  • If you do not see any errors, check the Admin Portal to confirm the user was synced to WorkOS successfully; if it was, try resyncing all users to Vanta. If it was not, check your IdP for errors.
  • If there is an error about multiple users with the same email, review this article.