SCIM provisioning overview

Provisioning with SCIM is available on Postman Enterprise plans.

Postman supports SCIM (System for Cross-domain Identity Management), enabling you to automate user provisioning and de-provisioning for your team. With this feature, you can efficiently deploy Postman at scale across your organization and control access to it with your identity provider (IdP). You can enable SCIM provisioning with the SCIM API, Okta, Microsoft Entra ID, or OneLogin.

You must be a Postman Team Admin or Super Admin to enable SCIM for your team. It's recommended that you enable SCIM using a service account assigned the Super Admin role. This enables you to avoid the risk of a disruption in service if a team member leaves your company. Learn more about assigning the Super Admin role to a service account.

With SCIM enabled, users won't have the option to leave your team on their own, and won't be able to change their account email or password. Only Team Admins and Super Admins have permission to remove team members. Only administrators in your IdP have permission to use SCIM to change user account emails if they're associated with a domain your team verified.

SCIM features

Postman supports the following provisioning features:

  • Create user - Creates a new user account in Postman, adds the account to your organization's Postman team, and activates authentication for the user if their email ID isn't attached to an existing Postman account. If a Postman account with the same email ID exists and it's associated with a domain your team has verified, the user will be automatically added to your team. If a Postman account with the same email ID exists and it's not associated with a verified domain, an email invite to join your Postman team is sent to the user. Once the user accepts the invite, they'll be added to your team.

    The newly added user will have the Developer role in Postman by default. You can later update account roles in Postman.

  • Update user information

    • Update user attributes - Updates a user’s first and last name in Postman.

    • Activate user - Creates a new user on your Postman team, if one doesn't already exist, and activates the user to authenticate into your Postman team.

    • Deactivate user - Removes a user from your Postman team and deactivates their account, blocking the account from authenticating into Postman.

      User accounts and the data corresponding to them won't be deleted.

    • Reactivate user - Reactivates an existing deactivated user by unblocking the account's authentication into Postman and adds the account back to your Postman team.

  • Create group - Creates a new user group in Postman. When you assign the Postman app to a group, Postman creates a new account for each user, adds each account to your organization's Postman team, and activates authentication for each user. If an existing Postman account uses an email that matches a user's email ID, an email invite to join your Postman team is sent to that user. Once the user accepts the invite, they'll be added to your team.

    Newly created groups will have the Developer role in Postman by default. You can later update group roles in Postman and control a group's access to workspaces and individual Postman elements, such as collections and APIs.

  • Delete group - Deletes a user group in Postman. User accounts that were part of the deleted group are deactivated in Postman.

    User accounts and the data corresponding to them won't be deleted.

  • Update group information

Postman doesn't support the following provisioning features:

  • Push groups from Postman to your IdP
  • Push or sync password updates
  • Push user attribute updates from your IdP to Postman other than name
  • Pull user attribute updates from Postman to your IdP

Enabling SCIM provisioning

You must configure SSO in Postman before you can enable SCIM for your Postman team.

To use SCIM, you must have only one SSO method configured. If you have more than one SSO method enabled, you won't be able to generate a SCIM API key.

Enabling SCIM in Postman

  1. Open Postman and select Team > Team Settings in the Postman header.

  2. Select Authentication in the left sidebar.

  3. Select the Authentication Methods tab.

  4. Select the SCIM Provisioning toggle to turn it on.

    Enable SCIM in dashboard
  5. Select Turn On to enable SCIM provisioning.

    Enable SCIM in dashboard

Generating SCIM API key

  1. Under SCIM Provisioning, select Generate SCIM API Key.

    Generate SCIM API key
  2. Enter a key name, then select Generate.

  3. Copy your new API key for later use and select Done.

You can revisit this page to manage your SCIM API keys. If you regenerate an existing API key, you'll have the option to keep the previous key active while you switch to the new one.

For more information or help with configuring SCIM, contact Postman support.

Configuring SCIM with the SCIM API

Visit Postman's SCIM API documentation for information on setting up SCIM for your Postman team using the SCIM 2.0 API.

Next steps

Now that you have enabled SCIM and generated a SCIM API key, you can continue enabling SCIM provisioning. After the SCIM setup is complete, learn how to manage roles and permissions for your team:

Last modified: 2023/12/15