SCIM provisioning overview

Provisioning with SCIM is available on Postman Enterprise plans.

Postman supports SCIM (System for Cross-domain Identity Management), enabling you to automate user provisioning and de-provisioning for your team. With this feature, you can efficiently deploy Postman at scale across your organization and control access to it with your identity provider (IdP).

You can enable SCIM provisioning with the SCIM API, Okta, Microsoft Entra ID, or OneLogin. You must be a Postman Team Admin to enable SCIM for your team. With SCIM enabled, users won't have the option to leave your team on their own, and won't be able to change their account email or password. Only Team Admins will have the right to remove team members.

SCIM features

Postman supports the following provisioning features:

Create user - Creates a new user account in Postman, adds the account to your organization's Postman team, and activates authentication for the user if their email ID isn't attached to an existing Postman account. If a Postman account with the same email ID exists and it's associated with a domain your team has verified, the user will be automatically added to your team. If a Postman account with the same email ID exists and it's not associated with a verified domain, an email invite to join your Postman team is sent to the user. Once the user accepts the invite, they'll be added to your team.

The newly added user will have the Developer role in Postman by default. You can later update account roles in Postman.
Update user information
- Update user attributes - Updates a user’s first and last name in Postman.
- Activate user - Creates a new user on your Postman team, if one doesn't already exist, and activates the user to authenticate into your Postman team.
- Deactivate user - Removes a user from your Postman team and deactivates their account, blocking the account from authenticating into Postman.
  
  User accounts and the data corresponding to them won't be deleted. To permanently delete a user account and its data, contact Postman support.
- Reactivate user - Reactivates an existing deactivated user by unblocking the account's authentication into Postman and adds the account back to your Postman team.
Create group - Creates a new user group in Postman. When you assign the Postman app to a group, Postman creates a new account for each user, adds each account to your organization's Postman team, and activates authentication for each user. If an existing Postman account uses an email that matches a user's email ID, an email invite to join your Postman team is sent to that user. Once the user accepts the invite, they'll be added to your team.

Newly created groups will have the Developer role in Postman by default. You can later update group roles in Postman and control a group's access to workspaces and individual Postman elements, such as collections and APIs.
Delete group - Deletes a user group in Postman. User accounts that were part of the deleted group are deactivated in Postman.

User accounts and the data corresponding to them won't be deleted. To permanently delete user accounts and their data, contact Postman support.
Update group information
- Update group attributes - Updates a group's name in Postman.
- Update group members - Adds or removes users from a group in Postman.
  
  Users in a group have the roles assigned to the group. You can update group roles in Postman and control a group's access to workspaces and individual Postman elements, such as collections and APIs.
Updating group information from Postman to your IdP isn't supported in SCIM provisioning through Okta. If you're using Okta and you want to use this provisioning feature, use the SCIM 2.0 Okta app.

Postman doesn't support the following provisioning features:

Push groups from Postman to your IdP
Push or sync password updates
Push user attribute updates from your IdP to Postman other than name
Pull user attribute updates from Postman to your IdP

Enabling SCIM provisioning

You must configure SSO in Postman before you can enable SCIM for your Postman team.

To use SCIM, you must have only one SSO method configured. If you have more than one SSO method enabled, you won't be able to generate a SCIM API key.

Enabling SCIM in Postman

Open Postman and select Team > Team Settings in the Postman header.
Select Authentication in the left sidebar.
Select the Authentication Methods tab.
Select the SCIM Provisioning toggle to turn it on.
Select Turn On to enable SCIM provisioning.

Generating SCIM API key

Under SCIM Provisioning, select Generate SCIM API Key.
Enter a key name, then select Generate.
Copy your new API key for later use and select Done.

You can revisit this page to manage your SCIM API keys. If you regenerate an existing API key, you'll have the option to keep the previous key active while you switch to the new one.

For more information or help with configuring SCIM, contact Postman support.

Configuring SCIM with the SCIM API

Visit Postman's SCIM API documentation for information on setting up SCIM for your Postman team using the SCIM 2.0 API.

Next steps

Now that you have enabled SCIM and generated a SCIM API key, you can continue enabling SCIM provisioning. After the SCIM setup is complete, learn how to manage roles and permissions for your team:

To learn how to enable SCIM provisioning through your IdP, see Configure SCIM with Okta, Configure SCIM with Microsoft Entra ID, or Configure SCIM with OneLogin.
To learn how to enable SCIM using the SCIM 2.0 API, see Postman's SCIM API documentation.
Learn more about defining roles in your team and how to create user groups.

Last modified: 2023/12/15

Additional resources

Blog posts

Introducing User Management in Postman with SCIM

Case Studies

PayPal uses SCIM to onboard developers

Western Governors University (WGU) uses SCIM to create teams