SCIM

Important: 

  • The SCIM feature is only available for advanced preview customers.

  • Microsoft has changed the name of Azure Active Directory to Microsoft Entra ID. However, Nintex Workflow and the help still refer to this product as Azure Active Directory.

You must be a verified primary domain owner and a global administrator.

System for Cross-domain Identity Management (SCIM) allows you to sync users from your identity provider An identity provider (IdP) stores and authenticates the identities of users to log in to system, files, or applications. (IdP) to Nintex Workflow. Once it's set up you can manage user lifecycle in Nintex Workflow tenant directly through your IdP.

In the SCIM page, you can:

  • Create and configure a directory.
  • Add new rules and assign roles. You can also edit, disable, or delete rules from the tenant.

SCIM, SSO, and User Directory work independently. Each feature supports a different aspect of user management:

  • SCIM enables you to assign roles and Nintex Workflow groups to users based on group memberships in your IdP and configured user management rules.
  • Auto-onboarding allows any active user with access to the SSO connection to sign in to Nintex Workflow, even if they haven’t been added through SCIM or invited manually. These users are assigned the default Participant role.
  • User Directory lets workflow designers find users and assign tasks to them in workflows.

Jump to:

Access the SCIM page

  1. On the top navigation bar, click Settings.

  2. On the left navigation, click SCIM.

Create a directory

You must be a verified primary domain owner, and your organization must be federated. For information on configuring or verifying your organization's federation status, see Configure identity federation.

  1. On the SCIM page, under the Directory section, click Add directory.

  2. Enter a Directory name, click Add.

    A Base URL and API key are provided. Use these credentials to configure SCIM in your identity provider and complete the setup process.

    Important: Make sure to save your API key securely, as you won't be able to access it again after closing the window.

  3. In your Azure Active Directory tenant, create or use existing SSO application. For more information, see Create a Nintex Workflow application in Azure Active Directory.

Delete a directory

You must be a verified primary domain owner and a global administrator.

When a directory is deleted, the connection to Azure Active Directory will be lost, and Nintex Workflow will no longer receive updates from the IdP. As a result, any changes made to users or groups in the IdP will not take effect in Nintex Workflow.

  1. On the SCIM page, under the Directory section, click and select Delete for the required directory.

Create, sync and delete user management rules

You must be a verified primary domain owner and a global administrator.

The SCIM user management rules let you manage access to tenants and roles based on users' group and role memberships in your IdP. Creating a user management rule lets you assign specific roles to users within a tenant based on their group membership.

Important: Users managed by a user management rule appear in the User Management page with a SCIM badge. If no badge appears next to a user's email, the user is not managed by a user management rule.

User management rules assign roles and tenant access based on group membership in your IdP. When a user is added to a group linked to a rule, they receive the access defined by that rule. When a user is removed from the group, their assigned role and tenant access are removed. For more information, see Understanding SCIM user management rules.

A set of default user management rules such as the Nintex Participant rule is available to help you get started. To use a default rule, create a group in your IdP with the same name and add users to it. The assigned role applies to users in the tenant where SCIM is configured. If you don’t want to use a default rule, you can delete it. The following table lists the default rules and their assigned roles.

Group name Role
Nintex Participants Participant
Nintex Designers Designer
Nintex Developers Developer
Nintex Automation Admins Automation Admin
Nintex Administrators Global Admin

After you set up a directory, you can configure user management rules for your tenant. When a rule is added, disabled, enabled, or deleted, it only affects new messages or changes from the IdP. To update access for users already in the system, the admin must re-sync the organization.

Understanding SCIM user management rules

SCIM user management rules let you manage user roles and access in Nintex tenants based on group membership in your IdP. For example, if you create a group named HR-Designers in your IdP, you can create a rule that assigns its members a Nintex role such as Designer or Developer in a tenant of your choice.

When a user is added to a group linked to a user management rule:

  • The assigned role and tenant access are applied.

  • SCIM user management rules manage the user and control their access.

If the user is later removed from the group:

  • The assigned role and tenant access are removed.

  • Even if a user was assigned a role before SCIM was enabled, they retain only the access defined by current user management rules. If no rules apply, the user may lose access entirely. For more information, see Troubleshooting SCIM access and synchronization.

If a user is marked as inactive in your IdP, SCIM syncs the status and marks the user to inactive in the tenant. SCIM user management rules help you manage access consistently as users change groups or roles.

  1. Open the SCIM page: Click Settings and then select SCIM.

  2. In the User management rules section, click Add a rule.

  3. Select an IdP group from the drop-down list.

  4. Select the Nintex Workflow tenant to which you want to provide access.

  5. Select the Nintex Workflow role you want to assign.

  6. (Optional) You can select an existing Nintex Workflow group to assign.

  7. Click Add.

Rules are applied to any updates to new users and groups from your IdP. Any rules you add or delete will apply to future updates of users and groups from your IdP. To apply new or deleted rules to existing users and groups, sync the rules after making changes.

  • To perform a partial sync of a rule: On the SCIM page, under the User management rules section, click next to the rule, and then choose Sync.

    Note:  Partial sync is available for disabled and deleted rules. To view them, select the corresponding filter option.

  • To perform a complete sync of all rules: On the SCIM page, under User management rules section, click Sync rules.

    Note: Syncing may take some time depending on the size of your directory and the number of rules. Perform a full sync only if required.

You must be a verified primary domain owner and a global administrator.

After deleting a rule, it no longer applies to incoming changes from the IdP for users and groups. You must sync rules to remove access granted by the deleted rule.

  1. On the SCIM page, under User management rules section, on the right of the rule you want to remove, click and then select Delete.

Enable and disable user management rules

Important: When a rule is added, disabled, enabled, or deleted, it only affects new messages or changes from the IdP. To update access for users already in the system, the admin must re-sync the organization.

  1. On the SCIM page, under User management rules section, on the right of the rule you want to enable, click and then select Enable.

  1. On the SCIM page, under User management rules section, on the right of the rule you want to disable, click and then select Disable.

You can view active, inactive, and deleted rules on the SCIM page under the User management rules section:

  • Select the Active rules tab to see currently enabled rules.

  • Select the Inactive rules tab to see disabled rules.

  • Select the Deleted rules tab to see removed rules.

  • Select the All rules tab to see the complete list of rules.

Available only to users who are global administrators and a verified primary domain owners.

Section

 Selection (or column or field) Description

Directory

Add directory

Adds a new directory and provides a base URL and API key.
 

Directory name

Displays the name assigned to the directory during creation.

 

Created

The date and time the directory was created.

 

Created by

Tenancy user name of person who configured the directory.

  Options ()

  Available only to users who are Global administrators and a verified primary domain owners.

Lists the following selections:

  • Pause sync: Pauses the incoming messages from the SCIM service. Changes made in the IdP will not take effect until syncing is re-enabled.
  • Enable sync: Enables the incoming messages from the SCIM service.
  • Delete: Removes the selected directory from the Nintex Workflow tenant or tenants.
User management rules Sync rules

Allows you to sync rules. To apply rules to existing users and groups, sync them after adding.
  Add a rule Allows you to add a rule to user management rules.
  Tenant access

Displays the name of the tenant the rule applies to.
  From IdP group The IdP group that the user belongs to.
  Assigned role

Role type of the user who created the management rule. For more information, see User Roles.
  Assigned group The group the user belongs to and has permissions to manage the rule.
  Members Number of members who have access to the rule.

 

Created

The date and time the rule was created.
 

Created by

Tenancy user name of person who configured the rule.
  Is active Displays whether the rule is active or inactive.

 

Options ()

Lists the following selections:

  • Enable: Activates the rule and displays it as Active in Is active column.
  • Disable: Deactivates the rule and displays it as Inactive in the Is active column.
  • Delete: Deletes the rule from the Nintex Workflow tenancy.

Troubleshooting SCIM access and synchronization

If you experience SCIM access or sync issues, try the relevant troubleshooting steps below:

  • Check user status: If a user can't log in despite being granted access by a rule, verify that the user is active in your IdP. SCIM syncs only active users.

  • Check group membership: Confirm that the user is a member of a group managed by a user management rule and is assigned to the application in your IdP.

  • Check application assignment: Ensure the groups used in user management rules are correctly assigned to the application in your IdP.

  • Re-sync the rule: If a user who should be covered by a rule has been synced from the IdP but is not receiving access, re-sync the rule.

  • Refresh the page: If a SCIM badge does not appear next to a group or user on the User Management page, refresh the page.

  • Check provisioning logs: If changes in your IdP do not appear in Nintex Workflow after re-syncing rules, check the Azure Active Directory logs for errors.

  • Global administrator access issues

    • If the global administrator was part of a SCIM managed group:

      Confirm that the global administrator is still in the group. To ensure Azure Active Directory resends the provisioning event:

      • Remove the user from the group.

      • Run provisioning on demand.

      • Add the user back to the group.

      • Run provisioning on demand again.

      Note: If your default user management rules are still available, create a group named Nintex Administrators, assign it to the enterprise application, add the global administrator to the group, and then run provisioning on demand.

    • If the global administrator wasn’t part of a SCIM managed group:

      If the global administrator was previously assigned to the enterprise application but later removed, Azure Active Directory may have sent a disable event that deactivated the user in Nintex. To restore access:

      • Add the global administrator back to the enterprise application.

      • Run provisioning on demand.

Steps to set up SCIM in Nintex Workflow with your preferred identity provider

To configure SCIM for Nintex Workflow, see the guide listed below that is relevant to the identity provider you use: