Overview
Hone supports SCIM (System for Cross-domain Identity Management) to automate user provisioning and deprovisioning from your identity provider (IdP).
When enabled, SCIM allows your IdP to automatically:
- Create new users in Hone
- Update user profile information
- Deactivate users when they leave your organization
SCIM works alongside Single Sign-On (SSO) to provide a complete identity management solution.
- SSO (SAML) = Authentication (how users log in)
- SCIM = User lifecycle management (who has access)
For the most secure and automated setup, we recommend enabling both SSO and SCIM.
Before You Begin
To configure SCIM:
- You must be a Hone Admin
- Your organization must use an Identity Provider (IdP) that supports SCIM 2.0
- An IdP Admin must be available to configure provisioning
While SCIM can be configured independently, most enterprise customers enable Single Sign-On (SSO) alongside SCIM for a complete identity management solution.
How SCIM Works in Hone
Once configured:
- Your IdP becomes the source of truth for user access
- Users are automatically created when assigned to the Hone app in your IdP
- Users are automatically deactivated when removed or deactivated in your IdP
- User profile attributes stay synced
This reduces manual user management and improves security compliance.
Step 1: Generate Your SCIM Credentials in Hone
Before your Identity Provider (IdP) administrator can configure SCIM, you must generate a SCIM token in Hone and share it securely.
Generate a SCIM Token
- Log in to Hone as an Account Admin.
-
Click the gear icon in the top-right corner to open Team Settings.
-
Navigate to SSO & Provisioning.
-
Under SCIM Provisioning, click Generate Token.
- Copy the token and store it securely.
- For security reasons, the token is only shown once. If it is lost, you must rotate the token and update it in your Identity Provider.
Copy SCIM Base URL
- Your Identity Provider administrator will use the following Base URL:
- https://app.honehq.com/scim/v2/
Step 2: Configure SCIM in Your Identity Provider
In your Identity Provider:
- Add a new application for Hone (or enable provisioning for your existing Hone SSO app)
- Enable SCIM Provisioning
- Enter the following:
- SCIM Base URL: (from Hone Admin settings)
- Authentication Method: Bearer Token
- Bearer Token: (generated in Hone)
- Test API credentials
- Enable provisioning
Your IdP may provide options for:
- Create Users
- Update Users
- Deactivate Users
We recommend enabling all supported lifecycle actions.
Step 3: Assign Users or Groups
After provisioning is enabled:
- Assign users or groups to the Hone application in your IdP
The IdP will automatically:- Create user accounts in Hone
- Sync user attributes
- Manage access updates
Supported SCIM Attributes
Hone supports standard SCIM Core 2.0 User fields and common Enterprise extensions (manager and department).
- userName
- User’s email address (must be unique)
- name.givenName
- First name
- name.familyName
- Last name
- addresses
- Address object(s)
If an attribute is updated in your IdP, it will update in Hone on the next sync.
Deprovisioning Hone Access
When a user is deactivated in your IdP, removed from the Hone Application in your IdP, or deleted in your IdP, their Hone account is automatically deactivated, which means their access to Hone is removed.
- This ensures access is removed promptly when employment status changes.
FAQ:
Do I need SCIM if I already have SSO?
- SSO handles authentication. SCIM handles automated provisioning. For enterprise-grade identity management, both are recommended.
Can I use SCIM without SSO?
- SCIM is designed to work alongside SSO. We recommend enabling SSO first.
Can I use SCIM and HRIS together?
- Yes. HRIS syncs employee data; SCIM manages account lifecycle.
What happens if SCIM is disabled?
- User accounts will no longer automatically provision or deprovision. Manual management would be required.
Please reach out to support@honehq.com if you have any questions regarding SCIM and its impact on the Hone platform!
Comments
0 comments
Article is closed for comments.