Overview
System for Cross-domain Identity Management (SCIM) lets your Identity Provider (IdP) automatically provision, update, and deprovision users in Yousign. Once configured, any user lifecycle change in your IdP — new hires, leavers, role changes — is reflected in Yousign without manual intervention.
What SCIM handles in Yousign
Automatic user provisioning when added in your IdP
Automatic user deactivation when removed from your IdP
Name and Role synchronisation — keep Yousign roles in sync with your IdP
It is not possible to create/deactivate/delete the Owner of Yousign organisation.
Scope
Role Supported attribute
Group-based provisioning is not yet available in this version.
Supported Identity Providers
All IdP for which SSO configuration is available and who support SCIM.
Before You Start
Before configuring SCIM, make sure you have:
SCIM and SSO add-on activated on your account
Admin access to Yousign
Admin access to your IdP
Single Sign-On (SSO) already configured and active on your Yousign account — SCIM requires SSO to be enabled first. See the SSO setup guide if needed.
Step 1 — Generate Your SCIM Credentials in Yousign
Before configuring your IdP, you need to retrieve the SCIM endpoint and generate an API token from your Yousign workspace.
Sign in to Yousign as an admin.
Go to Settings → Access security → SCIM.
Click Activate.
Please note that any pending invitations will be deleted. Additionally, you can only manage invitations and users informations (email, name, firstname) with your IdP until SCIM deactivation.
Copy the SCIM Endpoint URL — you will need this in your IdP configuration.
Click Generate Token to create a Bearer token.
Copy the token immediately — it will not be shown again. Store it securely.
You can delete the token and regenerate it at any time from this page. Deleting the token will invalidate it and temporarily interrupt provisioning until you update the token in your IdP.
Step 2 — Understand Yousign Roles
Yousign uses the following roles. The role you assign in your IdP must exactly match one of these values (case-insensitive):
Role name | IdP attribute value | Description |
Admin | admin | Full access to workspace settings, billing, and user management. |
Member | member | Standard user who can send and sign documents. |
API syntax expected here. Note: we don’t support any additional parameters here (for ex primary is not supported).
"roles": [ { "value": "admin", "type": "role" } ]
If no role is provided, the user will be provisioned as Member by default.
Step 3 — Configure your IdP
What You Need from Yousign
Retrieve these two values from Yousign before starting (see Step 1):
Parameter | Value / Where to find it |
SCIM Base URL | Settings → Access Security → SCIM → Endpoint URL |
Bearer Token | Settings → Access Security → SCIM → Bearer Token |
SCIM Endpoint & Authentication
Enter the following in your IdP's SCIM provisioning configuration:
Setting | Value |
SCIM version | SCIM 2.0 |
Base URL | Your Yousign SCIM Base URL (no trailing slash) |
Authentication method | HTTP Header — Bearer token |
Token | Your Yousign Bearer token |
Supported provisioning actions | Push New Users; Push Profile Updates |
Unique identifier field for users | This should map to an immutable email in your IdP attributes, typically |
Required Attribute Mappings
Your IdP must send the following SCIM attributes. Map your directory attributes to these SCIM paths:
SCIM attribute | Expected value | Required |
userName | User's email address (unique immutable identifier) | Yes |
emails[primary eq true].value | User's email address | Yes |
name.givenName | User's first name | Yes |
name.familyName | User's last name | Yes |
active | true / false — controls activation and deprovisioning | Yes |
roles[type eq “role”].value | One of: admin, member | Recommended |
name.givenName and name.familyName must respect the following limitations: max 150 characters. Allowed characters are: letters, numbers, spaces, apostrophes, hyphens, parentheses and accented letters. Cannot start or end with a space, and cannot contain 10 consecutive digits.
If name.givenName or name.familyNames does not match Yousign’s accepted format, those fields will be ignored during provisioning. The user account will still be created successfully, but the name fields will be left empty and the user will be prompted to complete them at first login.
Supported SCIM Operations
Yousign supports the following SCIM 2.0 operations. Enable these in your IdP where applicable:
Operation | Supported | Effect in Yousign |
Create user (POST /Users) | Yes | Provisions a new user account |
Update user (PATCH /Users/{id}) | Yes | Updates name, email, or role |
Deactivate user (PATCH active=false) | Yes | Suspends the user |
Delete user (DELETE /Users/{id}) | Yes | Delete the user (data retained) |
Get user (GET /Users/{id}) | Yes | Used by IdP to check existence |
List users (GET /Users) | Yes | Used by IdP for reconciliation |
Seat Limit Behaviour
Yousign enforces a seat limit based on your subscription plan. When SCIM attempts to provision a new user and the seat limit has already been reached:
The user is not created — provisioning for that user is blocked.
An email notification is automatically sent to Admins and Owners, informing them that the seat limit has been reached and that provisioning could not complete.
Provisioning resumes normally once additional seats are purchased or existing users are deprovisioned.
Verifying the Setup
After your first provisioning cycle runs:
Go to Yousign Settings → Users.
Confirm that provisioned users appear with the correct role.
Check your IdP's provisioning logs for any errors or skipped users.