Setting up SCIM and managing user provisioning

Note: This article primarily applies to Ramp Administrators. Cardholders may find other articles in the Ramp overview section to be more applicable.

Overview

Ramp supports user management via the system for cross-domain identity management (SCIM) protocol. Ramp admins can manage all user provisioning from their identity provider (IdP) as a single source of truth. Benefits include:

Automatic user provisioning
Centralized control of user information
Secure and immediate user de-provisioning upon user removal
Reversible user de-provisioning with support for deactivation rather than deletion

Today, we support SCIM integrations with Okta, Microsoft Entra, and Rippling. You can refer to the linked articles for step-by-step guidance for setting up the integrations from the Integrations tab.

Note: SCIM integrations for user management are separate from SSO integrations for user sign-in. For more information on using SSO at Ramp, please see this article.

Important: What SCIM controls (and what it overwrites) When SCIM is enabled, your identity provider becomes the source of truth for the following fields: first name, last name, email, department, location, manager, and role. Manual changes to these fields in Ramp will be overwritten on the next sync cycle (typically within 5-10 minutes). By default, role is determined by manager assignment: users assigned as another employee's manager in your identity provider are automatically given the Manager role in Ramp. For more granular role control, you can configure explicit role assignments — see the setup guides for Okta, Microsoft Entra, or Rippling. To make permanent changes to SCIM-managed fields, update them in your identity provider instead. Exception: Email changes through SCIM still require the employee to confirm via a verification email. This is the only SCIM-managed field that requires user action. Fields NOT managed by SCIM (safe to edit in Ramp): spend allocations, card settings, custom fields (unless separately mapped), approval chains, and accounting fields.

Easy integration setup

Navigate to the Integrations and search either "Okta" or "Microsoft Entra" to find the relevant integration.

Ramp App center showing Microsoft Entra integration search result

Review the overview page then follow the step-by-step wizard for a clear and convenient setup process. Note: You will need to have access to both Ramp and your IdP to complete the setup. Our integration guides can be found below:

Ramp SCIM setup wizard showing step-by-step instructions for Okta

Clear integration management

The SCIM Settings page is your Ramp control center for SCIM. Here you can:

View the last sync time.

This is the last time we received an SCIM update from your IdP. If you think your connection is having an issue, we recommend checking this timestamp.

See the number of users invited and terminated via SCIM
Configure your offboarding options (See Terminations section below)
View integration information in case you need to reconnect at some point
“Disconnect” the integration.

Disconnecting will prevent any future data syncing. To fully disconnect, go to your IdP and follow the steps to delete the SCIM integration.

SCIM Settings page showing last sync time, notification recipients, and fallback fields

Centralized view of all user updates

In the People tab, there will be a new button in the top right corner to review team updates. A new modal will pop up with the following information:

Pending invites
Inactive users
Users that were unable to be invited due to sync errors

Team updates modal showing Out of sync tab with SCIM sync errors

Sync errors

Below is the list of all possible sync errors between Ramp and the IdP:

Reason	Error message
Circular manager	Employees can't be assigned as their manager's manager
Invalid manager	Manager's email is not associated with an eligible profile in Ramp
Self manager	Employees can't be assigned as their own manager
Duplicate email	Email is already associated with another employee
Invalid name	Ensure first and last name are entered correctly
Invalid location change	Location cannot be assigned to an entity using a different issuing currency
Invalid role assignment	User is not eligible to receive assigned role

Convenient user provisioning

When you connect to your IdP via SCIM, you will be able to automatically invite users to Ramp from your IdP. Note that you can provision users individually and via groups!

Ramp requires the following information to send the invite:

First Name
Last Name
Email address
Department
Location
Manager

In order to successfully send a user invite via SCIM, the required fields must be populated in your IdP, otherwise the invite will not be sent. If the user is missing any required fields, the request will fail. You can track errors/unsent invites in the IdP and in the Team updates modal of the Ramp People tab discussed earlier.

Ramp invites are sent to users via email automatically after the users are provisioned. The invite email “sender” is set to the user’s manager. If the user doesn’t have a manager, it falls back to the Ramp account owner. In other words, new users provisioned via SCIM will receive an invite email from their manager. If they don’t have a manager, it will come from the Ramp account owner.

Note: Invites created through SCIM provisioning have a 90-day expiration window, compared to the default 14-day window for manually sent invites. This gives users more time to accept their invite when provisioned through an identity provider.

If you also have SSO/SAML set up, your users can access Ramp using SSO and don't need to accept the invite via email.

Leveraging user groups from the IdP

You can create a group in the IdP and provision users via that group.

Note that user groups in the IdP will not propagate as distinct groups in Ramp - only Department and Location will be saved as tabs in the People page.

Automatic user information updates

Any time a user’s information is updated in your IdP system, the SCIM integration will update the user’s information in Ramp. Your IdP will be the source of truth for all employee information. The following information is automatically updated via SCIM.

User attribute

Supported by Okta?

Supported by Entra?

Name

Yes

Department

Yes

Location

Yes

Manager

Yes

Role

Yes (by default via manager assignment; explicit role assignments also available)

User attribute	Supported by Okta?	Supported by Entra?
Name	Yes	Yes
Department	Yes	Yes
Location	Yes	Yes
Manager	Yes	Yes
Role	Yes (by default via manager assignment; explicit role assignments also available)	Yes (by default via manager assignment; explicit role assignments also available)

Troubleshooting SCIM sync issues

Users not appearing after provisioning

SCIM sync is not instant. Changes from your identity provider may take up to 5-10 minutes to appear in Ramp (Okta) or up to 40 minutes (Entra, which syncs approximately every 40 minutes).
Verify the user is assigned to the Ramp application in your identity provider.
Check that the user has values for both department AND location. Users missing these fields will not be provisioned.
Confirm the SCIM connection is active by navigating to SCIM Settings in Ramp and checking the last sync timestamp.

Attributes not mapping correctly

Verify attribute mappings in your identity provider match the expected format in Ramp.
SCIM attribute names sent in camelCase are automatically converted to snake_case in Ramp.
For custom field mappings, ensure the SCIM attribute external name matches exactly (case-sensitive, snake_case).

For provider-specific troubleshooting, refer to the setup guides for Okta, Microsoft Entra, or Rippling.

Secure yet flexible user termination via deactivation

When a user is de-provisioned from your IdP, we will automatically deactivate their Ramp account. Deactivation is reversible — the user can be reactivated later if needed.

As part of deactivation, users will be put in an inactive state where they:

Cannot sign in
Cannot spend on cards or funds
Will not receive Ramp notifications

The user's Ramp account will not be deleted, their cards and funds will not be terminated, and they will remain listed in workflows.

This inactive state is reversible. Upon reactivation:

Users can sign in to Ramp again.
Users can spend on their previously issued cards and funds.
Users will resume receiving Ramp notifications.

Impact on workflows and approvals

While a user is inactive:

They will be indicated as “(Inactive)” on the People table.
They will remain in their assigned Ramp workflows.
They will remain as managers if they are assigned as such.
However, they will be unable to perform actions related to these duties due to their inability to sign in to Ramp.

Deleting users and terminating cards and funds

Ramp will no longer automatically delete users and terminate their cards and funds based on a SCIM instruction. However, you can enable auto-termination to automatically terminate eligible SCIM-deactivated users after a configurable waiting period (default: 45 days). For details, see Auto-termination with SCIM.

If you prefer to handle termination manually, you can sign in to Ramp and perform these actions yourself.

When performing these actions on Ramp, customers will have options to:

Terminate or reassign any active cards or funds.
Replace the user in any active workflows.