Enabling SCIM in Vanta

Scale.png

For more information about plan types and capabilities, see Vanta's pricing page

 

Supported features

  • Push new users: New users assigned to the SCIM app in the IdP will be provisioned in Vanta.
  • Push user updates: Updates made to the user in the IdP will be pushed to Vanta.
  • Push user deactivation: Deactivating the user or removing their assignment to the SCIM app in the IdP will deactivate the user in Vanta.
  • Push user reactivation: Reactivating a user in the IdP or reassigning them to the SCIM app in the IdP will reactivate the user in Vanta
  • Provisioning of Teams: create Vanta Teams from identity provider groups and keep membership of the Vanta Teams synchronized with group membership in the identity provider.
  • De-provisioning of Teams
  • Assigning Users to Teams
  • Unassigning Users from Teams

Values that are synced through SCIM are user names (first and last), email (primary), and RBAC role.

Enabling SCIM

If you have already connected your IdP, please note:

  • When SCIM is enabled, all users previously provided with the IdP integration will be converted to manually managed.

    • This will not change their status in Vanta- all current employees will retain access, and all former employees will retain offboarding details.
  • After SCIM is set up, any users in your account that match a user in your SCIM app will be converted to SCIM-managed.
    • Their active status through SCIM will determine their status in Vanta
  • For users you will not manage through SCIM, when you need to de-provision their Vanta access, de-provisioning will have to be manually initiated through the Vanta UI after SCIM is enabled.

If you have not already connected your IdP:

  • You will be prompted to connect an IdP or HRIS integration. These integrations allow Vanta to acquire personnel's start dates more accurately, as reflected in the Personnel module.
  • If you do not use Vanta for Compliance Monitoring, you do not need to integrate with an IdP to enable SCIM.

Important Considerations When Enabling SCIM

When SCIM is enabled in Vanta, it becomes the sole source of truth for automated user management. This has a few important implications:

  • SCIM disables the IdP integration from updating any fields in Vanta, except for Start Date and Personnel Group Membership.
  • Any personnel not provisioned through SCIM will be converted to manual entries. This means:
    • End dates will no longer automatically update from your IdP, which can prevent automated offboarding.
    • New personnel will not be imported into Vanta from your IdP.

For personnel you want to monitor in Vanta but who should not have privileged access, provision them via SCIM with the Employee role. The Employee role provides access only to personal security and compliance tasks, and nothing more.

Additionally, if you want to remove someone's privileged access to Vanta but keep them active in the system (for example, you don’t want to trigger offboarding), you can downgrade their role to Employee.

Configuring SCIM

  • Once your account is ready to proceed with configuring SCIM, you will see a banner inviting you to complete the setup in the Admin Portal.
  • This will take you to WorkOS, which will walk you through the steps to enable a SCIM connection from your IdP to a WorkOS directory synced into Vanta.

Configuring SCIM for User Provisioning and Role Management

  • When you provision users through SCIM, you can automatically control users’ privileged RBAC (role-based access controls) roles from your IdP instead of manually in Vanta. Learn more about Vanta’s roles and permissions.
  • When SCIM is enabled, the User Provisioning section of the Login and Security page has a Roles tab in addition to the Status tab, which provides the role IDs you will need to pass through SCIM.

  • You will see that users are being successfully provisioned here:

5e89e039-52c9-4c28-90d8-ff9191b2b2c3

If you use Vanta for compliance monitoring

  • The list of roles will also include the unprivileged Employee role, which provides basic “employee experience” permissions to complete personnel security tasks in Vanta (such as accepting policies, watching security awareness training, etc.).
  • Remember, when SCIM is enabled, it becomes the sole source of truth for automated user management. If you want to sync your personnel on the People page to your IdP, you must provision them via SCIM.
  • You may provision users with this role without providing a role ID, but depending on your IdP, you may need to explicitly provide it for configuration to work correctly. 
    • For example, Azure Entra will not allow you to unset an attribute, so you cannot downgrade a user’s role by clearing it. 

If you are not using Vanta for compliance monitoring, you will not see this role, and users provisioned without a role ID will not have access to any part of the Vanta UI.

Configuring SCIM for Teams

  • Note: in order to use SCIM for Teams, SCIM also must be used for user provisioning. It’s not possible to use SCIM solely for Team management.
  • Note: Users that are members of a team must have the Collaborator role or above. Make sure to provision these users with the Collaborator role or another privileged role.
  • When you provision Teams through SCIM, you can automatically manage team membership through your synced IdP groups instead of manually in Vanta. You will see that teams are being successfully provisioned here:

unnamed (1).png

  • SCIM-provisioned teams will appear on the Teams list page. They will show your IdP as the source:

unnamed (2).png

IdP Instructions

FAQs

How do I know if I’m using Vanta for compliance monitoring?

  • If you are using Vanta for compliance monitoring, the sidebar of your Vanta app will include the Personnel module.
    • Products used without Compliance monitoring include Vendor Risk Management, Trust Center, and Access Reviews 

Which SCIM app should I use?

  • The WorkOS setup guide will explain which SCIM app to use. For now, if you’re using Okta, you must use a custom SCIM app. Once the Vanta OIN app is updated to support SCIM, you should enable SCIM in that app instead of using a custom one. If you’re using Azure and you’ve set up a SAML app, you may add SCIM capabilities to that app.

What happens to existing users in my Vanta account when I enable SCIM?

  • If you previously used a Vanta IdP integration to provision users, those users will remain in your Vanta account with their current status and employment data.
  • All users from the integration will be converted to be manually managed and can be manually de-provisioned or re-provisioned in Vanta. If these users are subsequently provisioned through SCIM, they will become SCIM-managed and will only be de-provisioned when they are de-provisioned through SCIM.

Can users managed through SCIM be edited in Vanta?

  • Fields managed through SCIM can only be updated through your identity provider. This includes the RBAC role, user name, and email address. Fields managed through Vanta (user start date if not sourced from an integration, Vanta groups) continue to be editable in Vanta.

Can SCIM reactivate users in Vanta?

  • Under most circumstances, if a Vanta user has been previously deprovisioned and is reprovisioned through SCIM, that user will be reactivated. The exception is in cases where Vanta cannot uniquely determine the user to reactivate—if multiple inactive users match the email address and none match the IdP ID of the SCIM user, Vanta will opt to create a new user rather than risk an incorrect reactivation.

Can SCIM assign users to Personnel Groups in Vanta?

  • *Note: Personnel Groups in Vanta are a feature of the Personnel module.
  • Not at this time. However, using an IdP integration, user groups can be synced into Vanta. Otherwise, personnel groups can be assigned manually in Vanta.

What happens if I delete a SCIM user in my IdP?

  • If you remove a user's access to Vanta from your IdP or deactivate their account in the IdP, the user will be deprovisioned in Vanta. SCIM users must be deprovisioned from the IdP.

Can I use SCIM to manage privileged user accounts (e.g., Admins, Editors) and the IdP integration to manage Employee accounts?

  • No. Once you enable SCIM, the IdP integration will be turned into non-provisioning mode. While any existing users created via the IdP integration that were not converted to SCIM will still exist in Vanta, they will become “manual” users, meaning the IdP integration will no longer update their employee status. We strongly encourage customers using SCIM to manage all their users via SCIM

Can Teams managed through SCIM be edited in Vanta?

  • For Teams managed through SCIM, Team Name and Team Membership cannot be edited in Vanta, and the Team cannot be deleted in Vanta. Notification settings, Description, and Team Admins can be edited in Vanta.

What happens if I disable SCIM and then re-enable it?

  • If you enable SCIM and successfully sync users or Teams, and then disable SCIM, your SCIM-managed users and Teams will be converted to manual users and Teams. 
  • If you then re-enable SCIM:
    • Vanta will attempt to convert any matching manual users into SCIM-managed users
    • Vanta will not convert your manual Teams to SCIM-managed Teams. Your manually managed Teams will remain manual. Re-enabling SCIM will create net-new Teams.

Troubleshooting

  • To validate that users are synced correctly, view them in the Vanta UI.
  • Privileged users and their roles will appear in Settings under User permissions.
  • If you have the Personnel module, all users will appear under Personnel, on the People page.
  • Any users who appear only on the People page but do not appear on User permissions have the Employee role, which grants access to complete personal security and compliance tasks.

     

  • If you have changed your IdP and do not see it reflected in Vanta, check Settings, Login and Security, and then User Provisioning section for errors.
  • If you do not see any errors, check the Admin Portal to confirm the user was synced to WorkOS successfully; if it was, try resyncing all users to Vanta. If it was not, check your IdP for errors.
  • If there is an error about multiple users with the same email, review this article.



Updated