Setting up SCIM and managing user provisioning

Overview

Ramp supports user management via the system for cross-domain identity management (SCIM) protocol. Ramp admins can manage all user provisioning from their identity provider (IdP) as a single source of truth. Benefits include:

• Automatic user provisioning
• Centralized control of user information
• Secure and immediate user de-provisioning upon user removal
• Reversible user de-provisioning with support for deactivation rather than deletion  

Today, we support SCIM integrations with Okta and Microsoft Entra. You can refer to the linked articles for step-by-step guidance for setting up the integrations from the App Center.

Note: SCIM integrations for user management are separate from SSO integrations for user login. For more information on using SSO at Ramp, please see this article.

Jump to:

• Easy integration setup
• Clear integration management
• Centralized view of all user updates
• Convenient user provisioning
• Automatic user information updates
• Secure yet flexible user termination via deactivation

Easy integration setup

Navigate to the App Center and search either "Okta" or "Microsoft Entra" to find the relevant integration.

Review the overview page then follow the step-by-step wizard for a clear and convenient setup process. Note: You will need to have access to both Ramp and your IdP to complete the setup. Our integration guides can be found below:

• Okta
• Microsoft Entra

Clear integration management

The SCIM Settings page is your Ramp control center for SCIM. Here you can: 

1. View the last sync time. 
   • This is the last time we received an SCIM update from your IdP. If you think your connection is having an issue, we recommend checking this timestamp.  
2. See the number of users invited and terminated via SCIM
3. Configure your offboarding options (See Terminations section below)
4. View integration information in case you need to reconnect at some point
5. “Disconnect” the integration. 
   • Disconnecting will prevent any future data syncing. To fully disconnect, go to your IdP and follow the steps to delete the SCIM integration.

Centralized view of all user updates

In the People tab, there will be a new button in the top right corner to review team updates. A new modal will pop up with the following information:

• Pending invites
• Inactive users
• Users that were unable to be invited due to sync errors

Sync errors

Below is the list of all possible sync errors between Ramp and the IdP:

Convenient user provisioning

When you connect to your IdP via SCIM, you will be able to automatically invite users to Ramp from your IdP. Note that you can provision users individually and via groups!

Ramp requires the following information to send the invite:

1. First Name
2. Last Name
3. Email address
4. Department
5. Location
6. Manager

In order to successfully send a user invite via SCIM, the required fields must be populated in your IdP, otherwise the invite will not be sent. If the user is missing any required fields, the request will fail. You can track errors/unsent invites in the IdP and in the Team updates modal of the Ramp People tab discussed earlier.

Ramp invites are sent to users via email. The invite email “sender” is set to the user’s manager. If the user doesn’t have a manager, it falls back to the Ramp account owner. In other words, new users provisioned via SCIM will receive an invite email from their manager; if they don’t have a manager, it will come from the Ramp account owner. 

If you also have SSO/SAML set up, your users can access Ramp using SSO and don't need to accept the invite via email.

Leveraging user groups from the IdP

You can create a group in the IdP and provision users via that group.

Note that user groups in the IdP will not propagate as distinct groups in Ramp - only Department and Location will be saved as tabs in the People page.

Automatic user information updates

Any time a user’s information is updated in your IdP system, the SCIM integration will update the user’s information in Ramp. Your IdP will be the source of truth for all employee information. The following information is automatically updated via SCIM.

Note: Email changes are not currently supported. The resolution is to ask your admin to change the email manually and update SCIMUser.user_name and .email.

Secure yet flexible user termination via deactivation

When a user is de-provisioned from your IdP, we will automatically deactivate (not delete) their Ramp account. Note that this is different from user deletion, an irreversible process.

As part of deactivation, users will be put in an new inactive state where they:

• • Cannot log in
  • Cannot spend on cards or funds
  • Will not receive Ramp notifications

However, note that the users on Ramp will not be deleted, their cards and funds will not be terminated, AND they will remain listed in workflows - a change from the previous behavior with user deletion.

This inactive state is reversible. Upon reactivation:

• Users can log in to Ramp again.
• Users can spend on their previously issued cards and funds.
• Users will resume receiving Ramp notifications.

Impact on workflows and approvals

While a user is inactive:

• They will be indicated as “(Inactive)” on the People table.
• They will remain in their assigned Ramp workflows.
• They will remain as managers if they are assigned as such.
• However, they will be unable to perform actions related to these duties due to their inability to log in to Ramp.

Deleting users and terminating cards and funds

Ramp will no longer automatically delete users and terminate their cards and funds based on a SCIM instruction. If a customer wants to delete users and terminate their cards and fundspermanently, they need to log in to Ramp and perform these actions manually.

When performing these actions on Ramp, customers will have options to:

• Terminate or reassign any active cards or funds.
• Replace the user in any active workflows.

Which is consistent with the current user deletion functionality.