SCIM user provisioning functionality is in Beta. Contact your account team for more information.
Prerequisites
Before setting up SCIM provisioning, you need:- IdP admin access (Okta, Microsoft Entra ID, or any other SCIM 2.0 provider you’re using)
- Lovable workspace owner or admin role
-
An active SSO provider configured (OIDC or SAML). See Set up single sign-on (SSO) for more information.
- If you don’t have SSO yet:
You’ll typically create a single application in your identity provider that handles both SSO authentication and SCIM provisioning. - If you already have SSO configured:
You can optionally create a separate application in your IdP specifically for SCIM provisioning. This allows you to keep your existing SSO setup unchanged. Lovable will continue to use your current SSO provider for user authentication, regardless of which IdP application handles SCIM.
Some identity providers require SCIM provisioning to be configured on a SAML application, even if SSO authentication uses OIDC. In this case, the SAML application with SCIM enabled is used only for provisioning and does not need to be configured as an SSO provider in Lovable. - If you don’t have SSO yet:
How SCIM works in Lovable
This section explains how Lovable processes SCIM events from your identity provider.User provisioning
When your IdP creates or assigns a user to the Lovable application:- The IdP sends a SCIM request to Lovable.
- Lovable verifies that the user’s email domain is verified for your workspace.
- The user receives an email invitation to join.
- When the user accepts the invitation and creates an account, they are added to the workspace with the appropriate role based on SCIM configuration.
User deprovisioning
When your IdP removes or deactivates a user:- The IdP sends a deactivation request to Lovable.
- The user is removed from your workspace.
- The user can no longer log in to the workspace.
Workspace owners cannot be deprovisioned via SCIM. This prevents accidental lockout of workspace administration.
Group push and role updates
When group-based provisioning is enabled in your IdP:- Group membership changes are pushed to Lovable.
- Users added to a mapped group receive the corresponding role.
- Users removed from all mapped groups are removed from the workspace.
Supported SCIM operations
Lovable implements the SCIM 2.0 specification and supports the following operations:| Resource | Supported operations |
|---|---|
| Users | Create, read, update, delete, list |
| Groups | Create, read, update, delete, list, member push |
Set up SCIM provisioning
Setting up SCIM provisioning requires configuration in both Lovable and your identity provider. You start in Lovable to enable SCIM provisioning and generate the required credentials, then complete the setup in your IdP.Step 1: Configure SCIM in Lovable
First, enable SCIM provisioning in Lovable and copy the values needed by your identity provider.1
Open identity settings and enable SCIM
Go to Settings → Workspace → Identity → SCIM provisioning and enable SCIM provisioning.
2
Copy SCIM configuration values
When SCIM provisioning is enabled, Lovable generates and displays the following values:
- API key: A secure API token used for authenticating SCIM requests (shown only once)
- Base URL: The endpoint your IdP uses to sync users.
3
Configure the default role
The default role is assigned to newly provisioned users who do not match any group mapping. The available roles are:
- Viewer: Read-only access
- Editor: Can create and edit projects
- Admin: Full workspace management
Step 2: Configure SCIM in your identity provider
Use the values generated in Lovable to configure SCIM provisioning in your identity provider.| Setting | Value |
|---|---|
| Base URL | https://api.lovable.dev/scim/v2 |
| Authentication | Bearer token |
| API key | <your API key generated in Lovable> |
- Okta
- Microsoft Entra ID (Azure AD)
- Other SCIM 2.0 providers
SCIM provisioning in Okta is supported only through a SAML application. If you use OIDC for SSO, you’ll need to create a separate SAML app in Okta for SCIM provisioning.
1
Enable SCIM provisioning in Okta
- Go to Okta Admin Console → Applications.
- Create a new SAML application or select your existing SAML Lovable app.
- In General → App settings → Provisioning, select SCIM.
- Click Save. The Provisioning tab is now enabled for the application.
2
Configure the SCIM connection
- Navigate to Provisioning → Integration.
- Configure the SCIM connection with the following values:
- SCIM connector base URL:
https://api.lovable.dev/scim/v2 - Unique identifier field for users:
email - Select the supported provisioning actions you need (optional):
- Import new users and profile updates
- Push new users
- Push profile updates
- Push groups
- Import groups
- Authentication mode:
HTTP header - Authorization:
Bearer <your Lovable SCIM API key>
- SCIM connector base URL:
3
Test the connector configuration
Click Test connector configuration. If everything is configured correctly, the validation should be successful.
4
Save the connection
Save your changes.
5
Edit provisioning features and save the changes
Go to Provisioning → To App and edit the provisioning features based on your requirements.
- Create users
- Update user attributes
- Deactivate users
Configure role mapping
SCIM supports automatic role assignment based on IdP group membership, allowing you to control workspace permissions centrally.Map IdP groups to roles
Map your IdP groups to Lovable workspace roles for fine-grained access control. To add a group role mapping:- Go to Settings → Workspace → Identity → SCIM provisioning.
- Under Group role mappings, enter the Group name exactly as it appears in your IdP (for example,
engineering-admins). - Select the Role to assign (viewer, editor, or admin)
- Click Add to save.
Group names are case-insensitive. For example,
Engineering-Admins and engineering-admins both match.| IdP group | Lovable role |
|---|---|
lovable-admins | Admin |
engineering | Editor |
contractors | Viewer |
- Lovable checks whether the user belongs to any mapped groups.
- If a match is found, the corresponding role is assigned.
- If no match is found, the default role is assigned.
Manage SCIM provisioning
Use the identity settings to manage SCIM provisioning over time.Rotate the API key
Rotate the API key if it may have been compromised or needs to be regenerated:- Go to Settings → Workspace → Identity → SCIM provisioning.
- Click Rotate next to the API key.
- Confirm the rotation.
- Copy and save the new API key immediately.
- Update your IdP with the new API key.
Disable SCIM provisioning
To stop automatic provisioning:- Go to Settings → Workspace → Identity → SCIM provisioning.
- Disable SCIM provisioning.
Disabling SCIM stops automatic provisioning but does not remove existing workspace members. Users previously provisioned via SCIM will remain in the workspace until manually removed.
Troubleshooting
User provisioning fails with 'domain not verified' error
User provisioning fails with 'domain not verified' error
SCIM only provisions users whose email domain is verified for your workspace. To fix:
- Go to Settings → Workspace → Identity
- Add and verify the email domain under Verified domains
- Retry provisioning from your IdP.
Users are provisioned but can't log in
Users are provisioned but can't log in
Verify that:
- Your SSO provider is correctly configured.
- Users are assigned to the SSO application in your IdP.
Role mappings are not being applied
Role mappings are not being applied
Check that:
- Group names in your mappings exactly match what your IdP sends (case-insensitive)
- Your IdP is configured to send group membership data in SCIM requests
- Group push is enabled in your IdP
FAQ
Can I use SCIM without SSO?
Can I use SCIM without SSO?
No, SCIM requires an active SSO provider. Users provisioned via SCIM authenticate using your configured SSO provider.
What happens to existing users when I enable SCIM?
What happens to existing users when I enable SCIM?
Existing workspace members are not affected when you enable SCIM. SCIM manages users provisioned through your IdP. Previously invited users continue to exist alongside SCIM-provisioned users.
I lost my API key. What should I do?
I lost my API key. What should I do?
The API key is only shown once when generated. If you’ve lost it:
- Go to Settings → Workspace → Identity → SCIM provisioning.
- Click Rotate next to the API key and confirm the rotation.
- Update your IdP with the new API key.
What happens if a user belongs to multiple mapped groups?
What happens if a user belongs to multiple mapped groups?
When a user belongs to multiple mapped groups, Lovable assigns the highest-privilege role from those groups.Currently, if a user is removed from any mapped group in your identity provider, the user is removed from the workspace, even if they still belong to other mapped groups.
Should I use SCIM or just-in-time (JIT) provisioning?
Should I use SCIM or just-in-time (JIT) provisioning?
SCIM is recommended for managed environments where user lifecycle and access should be controlled centrally from your identity provider.Just-in-time (JIT) provisioning applies only to users who sign up through SSO. When a user is created via SSO sign-up, the JIT role is applied.When users are provisioned via SCIM, user creation and role assignment are managed by SCIM, including group-based role mappings, user metadata, or the default SCIM role. In this case, SCIM provisioning and role assignments take precedence over JIT.