Set up SCIM provisioning with Google Workspace

Ben Pemstein Ben Pemstein
· Updated

Admins can connect Google Workspace to 15Five via SCIM 2.0 to automatically provision, update, and deactivate users. When complete, Google Workspace controls user lifecycle in 15Five without manual intervention.

Before You Begin

  • If you are also enabling SSO, set up SSO before enabling SCIM. See Set up SAML Single Sign-On (SSO) in 15Five.
  • If SSO and SCIM are both active, SSO passes only Email and Name ID. All other attributes are updated by SCIM.
  • If you need to onboard employees whose hire date in Google Workspace is in the past, complete a bulk CSV import first, then disable the Start date option in your SCIM settings. See Add Users via Bulk CSV Import.
  • To configure start date delays for new users, see [How do I configure start date delays using SCIM provisioning?].

Steps

  1. Go to Settings > Admin Settings > Features > Integrations.
  2. Click Enable to the right of SCIM 2.0.
  3. Click Generate OAuth token.

> Note: This page lists all tokens generated and who generated them. Copy the token before leaving this page.

  1. In Google Workspace, add the 15Five application and authorize it using the token from step 3.
  2. Click Service Provider Details.
  3. Enter your subdomain URL in the ACS URL, Connection URL, and Start URL fields.

- Format: https://yoursubdomain.15five.com/scim/v2/

  1. Select the Name ID you want to use as the unique identifier for employees.

- Most organizations use User ID or Email. - If you use Email and SSO, disable JIT provisioning in your 15Five SSO settings. A mismatched email address that is not immediately updated in 15Five can create duplicate accounts.

  1. Click Attribute Mapping.
  2. Map the attributes you want to sync from Google Workspace to 15Five. Attributes marked with (*) are required.

> Note: Do not send passwordProfile.password as an attribute if your organization uses SSO. User authentication is determined by your SAML configuration.

  1. Click Next.
  2. In Set provisioning scope, add groups to restrict provisioning to specific group members, or leave blank to provision all assigned users.
  3. Click Finish.
  4. Review the Provisioning summary dialog, then click OK.
  5. Click Activate provisioning, then click Activate in the confirmation dialog.

> Note: The first sync from Google Workspace to 15Five may take up to 40 minutes after credentials are saved. Subsequent syncs occur approximately every 20 minutes.

What Correct Setup Looks Like

After activation, navigate to Settings > Admin Settings > Features > Integrations. The SCIM 2.0 row shows Enabled. Within 40 minutes of the first sync, users assigned to the 15Five application in Google Workspace appear in Manage People in 15Five.

If Something Goes Wrong

Issue Check Fix
No users appear in 15Five after 40 minutes Confirm the OAuth token was entered correctly in Google Workspace Revoke and regenerate the token in Integrations > SCIM 2.0, re-enter in Google Workspace
Duplicate accounts created after email change Confirm JIT provisioning is disabled in SSO settings Disable JIT provisioning in Settings > SSO, then merge or delete the duplicate account
Attributes not updating after sync Confirm required (*) attributes are mapped in Attribute Mapping Edit the attribute mapping, ensure all required fields are mapped, then trigger a manual sync by updating any field on the user's profile
Manager field appears blank in 15Five Confirm managerId or managerEmail is mapped and populated in Google Workspace See Managers not syncing via Google Workspace SCIM for full diagnostic steps
Users added before SCIM was enabled are not updating or de-provisioning Those users may not be tracked by Google Workspace See Users not updating or de-provisioning via Google Workspace SCIM

Not Covered Here

This article covers initial SCIM setup only. For start date configuration, group syncing, disconnecting SCIM, and related FAQs, see the articles listed below.

Related Articles

Was this article helpful?

Sorry to hear that. Tell us what was missing →