Sync Users from Your Identity Provider

If your organization uses an Identity Provider (IdP), Enpass can automatically provision and deprovision users via SCIM (System for Cross-domain Identity Management). User additions, updates, and removals in your IdP are reflected in Enpass without any manual intervention in the Admin Console.

Supported Identity Providers

Enpass supports all SCIM 2.0-compatible Identity Providers, including:

• Microsoft Entra ID

• Okta

• OneLogin

• JumpCloud

• Ping Identity

Any other IdP that supports SCIM 2.0 can also be integrated using the same general setup process.

How It Works

Once configured, your IdP will automatically:

• Add new users when they are assigned to the Enpass application in your IdP.

• Update user attributes (such as display name and email address) when changed in the IdP.

• Remove users when they are removed or unassigned from the Enpass application.

• Update group membership as adding or removing a user from a provisioned group in your IdP will reflect in the corresponding group in Enpass.

Users provisioned this way are tagged with a SCIM label in the Admin Console Users list.

Note: By default, a license is automatically assigned to each provisioned user if one is available. To disable this behavior for your organization, contact Enpass Support.

⚠️ Administrator accounts cannot be removed or offboarded via SCIM. Their admin role must first be removed in the Enpass Admin Console before they can be deprovisioned.

Step 1: Generate a Provisioning Token

Before connecting your IdP, generate a provisioning token from the Enpass Admin Console. This token authenticates your IdP to the Enpass provisioning endpoint.

1. Log in to the Enpass Admin Console.

2. Click the User Menu in the top-right corner and select Settings.

3. Select User Provisioning and click Create New Credentials.

4. Enpass will send your Tenant URL and Secret Token to your registered email address.

5. Open the email and click Get Secret Token to retrieve your credentials.

Note: Creating new credentials will invalidate any previously generated SCIM credentials. Both the Tenant URL and Secret Token are required when configuring the integration in your IdP.

Step 2: Configure Your Identity Provider

Follow the setup guide for your Identity Provider:

Microsoft Entra ID

For organizations using Microsoft 365 and Entra ID. Setting Up Provisioning with Microsoft Entra ID

Okta

For organizations using Okta as their primary Identity Provider. Setting Up Provisioning with Okta

Other Compatible IdPs

For any other SCIM 2.0-compatible IdP:

1. In your IdP, locate the option to add a new application or SCIM integration.

2. Set the Endpoint URL to the Provisioning Endpoint URL from the Admin Console.

3. Set the Authentication Method to Bearer Token and paste in the token from Step 1.

4. Configure attribute mappings (at minimum: email address and display name).

5. Assign the Enpass application to the users or groups you want to provision.

6. Test the connection and confirm users appear in the Admin Console.

Managing Users via Your IdP

Once provisioning is active, user lifecycle management happens in your IdP:

• To add a user — Assign them to the Enpass application in your IdP.

• To remove a user — Unassign them or deactivate their IdP account.

• To update a user's name or email — Update it in the IdP and it will sync to Enpass automatically.

• To manage group membership — Adding or removing a user from a provisioned group in your IdP will reflect in the corresponding group in Enpass.

You can still view and monitor all provisioned users from the Users section of the Admin Console, but changes should always be made in the IdP to avoid conflicts.

Related Topics

• Adding Users Manually

• Setting Up Provisioning with Microsoft Entra ID

• Setting Up Provisioning with Okta

• Removing and Offboarding Users