Set up Identity Provider (IdP) for SCIM

hc: idp scim hero
In this Article

Learn how to set up your Identity Provider to use SCIM in Notion 🪪

To set up provisioning with SCIM in Notion, you’ll first need to make sure that your Identity Provider, or IdP, supports the SAML 2.0 protocol. Here are some app-specific instructions for setting up your IdP.

Azure

Notion’s Azure SCIM integration supports the following provisioning features:

  • Creating users.

  • Removing users.

  • Keeping user attributes synchronized between Azure AD and Notion.

  • Provisioning groups and group memberships in Notion.

  • Single sign-on to Notion (recommended).

Step 1: Configure user provisioning in Notion

Start by configuring Notion to support provisioning with Azure AD. To do this:

  1. Go to notion.com/settings/organization.

  2. Go to the General tab and select SCIM provisioning.

  3. Copy an existing token or select Add token to create a new token.

Step 2: Add Notion from the Azure AD application gallery

Next, you’ll want to add Notion from the Azure AD application gallery following these instructions.

The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user or group.

If you choose to scope who will be provisioned to your app based on assignment, you can use the following steps to assign users and groups to the application.

If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described here.

Step 3: Configure automatic user provisioning to Notion

To configure user provisioning in Azure:

  1. Sign in to the Azure portal.

  2. Select Enterprise ApplicationsAll applications.

  3. In the applications list, select Notion.

  4. Select the Provisioning tab.

  5. Set the Provisioning Mode to Automatic.

  6. Under the Admin Credentials section, input your Notion Tenant URL and Secret Token. Click Test Connection to ensure Azure AD can connect to Notion. If the connection fails, ensure your Notion account has Admin permissions and try again.

  7. Select Save.

  8. Under the Mappings section, select Synchronize Azure Active Directory Users to Notion.

  9. Review the user attributes that are synchronized from Azure AD to Notion in the Attribute-Mapping section.

  10. Select Save to commit any changes.

  11. Under the Mappings section, select Synchronize Azure Active Directory Groups to Notion.

  12. Review the group attributes that are synchronized from Azure AD to Notion in the Attribute-Mapping section.

  13. Select Save to commit any changes.

  14. To enable the Azure AD provisioning service for Notion, change the Provisioning Status to On in the Settings section.

  15. Define the users and groups that you would like to provision to Notion by choosing the desired values in Scope in the Settings section.

  16. When you're ready to provision, click Save.

Note: This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section.

The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

Google

Notion’s Google SCIM integration supports the following provisioning features:

  • Creating users.

  • Updating user attributes, if the user has an email domain belonging to your organization.

  • Deactivating users, which removes them from your workspace.

Step 1: Configure user provisioning in Notion

To configure user provisioning in Notion:

  1. Go to notion.com/settings/organization.

  2. Go to the General tab and select SCIM provisioning.

  3. Copy an existing token or select Add token to create a new token.

Step 2: Configure provisioning in Google

To configure user provisioning in Google:

  1. Make sure you’re signed into an administrator account to ensure your user account has the appropriate permissions.

  2. Continue the steps shown on Google Workspace Admin Help starting at "Set up auto-provisioning for the Notion application".

Note: Google’s SCIM integration does not support group provisioning and de-provisioning.

Okta

Notion's Okta SCIM integration supports the following provisioning features:

  • Creating users.

  • Updating user attributes, if the user has an email domain belonging to your organization.

  • Deactivating users, which removes them from your workspace.

  • Pushing groups.

Step 1: Configure user provisioning in Notion

To configure user provisioning in Notion:

  1. Go to notion.com/settings/organization.

  2. Go to the General tab.

  3. Toggle on Enable SAML SSO. The SAML SSO configuration modal will automatically appear and prompt you to complete the setup.

  4. The SAML SSO configuration modal is divided into two parts:

    • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

    • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

  5. Go to the General tab and select SCIM provisioning.

  6. Copy an existing token or select Add token to create a new token.

Step 2: Configure user provisioning in Okta

To configure user provisioning in Okta:

  1. Add the Notion app from Okta's integration catalog.

  2. In the Sign-on Options view, select Email for the Application username format on the Sign On application tab.

  3. Under the Provisioning tab, select Configure API integration, and click on the Enable API integration checkbox.

  4. Enter the Notion SCIM API token you copied in Step 1 into the API Token text box, and select Save.

  5. Click Edit next to Provisioning to App, and enable your preferred features (Create users, Update user attributes, or Deactivate users.

  6. Click Save.

  7. After setting up the API integration, open the Push Groups tab, and add the Okta groups you want to sync with Notion from the Push Groups button.

Note: When updating users/groups via an existing SCIM configuration, please do not delete the Notion App from Okta. Doing so will remove all provisioned users from the workspace.

OneLogin

Note: If you plan to provision users to Notion via OneLogin, it’s important to configure SCIM before configuring SSO.

Notion’s OneLogin SCIM integration supports the following provisioning features:

  • Creating users.

  • Updating user attributes, if the user has an email domain belonging to your organization.

  • Deactivating users, which removes them from your workspace.

  • Creating rules to map OneLogin roles with permission groups in Notion.

Step 1: Configure user provisioning in Notion

To configure user provisioning in Notion:

  1. Go to notion.com/settings/organization.

  2. Go to the General tab.

  3. Toggle on Enable SAML SSO. The SAML SSO configuration modal will automatically appear and prompt you to complete the setup.

  4. The SAML SSO configuration modal is divided into two parts:

    • The Assertion Consumer Service (ACS) URL needs to be entered in your Identity Provider (IdP) portal.

    • The Identity Provider Details is a field in which you need to provide either an IdP URL or IdP metadata XML.

  5. Go to the General tab and select SCIM provisioning.

  6. Copy an existing token or select Add token to create a new token.

Note: Workspace owners can only copy and use tokens that they themselves have generated. If a token has already been created by another workspace owner, you can coordinate to determine if another token is necessary. All tokens will expire once the workspace owner that generated the token leaves the workspace or is downgraded to a member.

Step 2: Configure provisioning in OneLogin

To configure user provisioning in OneLogin:

  1. Go to Administration Applications Applications.

  2. Click the Add App button, search for Notion in the search box, and select the SAML 2.0 version of Notion.

  3. Click Save.

  4. Go to the Configurations tab.

  5. Paste the Assertion Consumer Service (ACL) URL into the Consumer URL field.

  6. Paste the SCIM API token into the SCIM Bearer Token field.

  7. Click Enable.

  8. Go to the Provisioning tab.

  9. Under Workflow, check Enable provisioning.

  10. Click Save in the upper right corner.

    • You can optionally enable or disable requirement for admin approval when users are created, deleted, or updated under Require admin approval before this this action is performed.

    • You can optionally select what happens to a user in Notion when that user is deleted from OneLogin. Choose between Delete (removing the user from the Notion workspace) or Do Nothing.

  11. Click Save in the top right corner.

Give Feedback

Was this resource helpful?

Powered by Fruition