SCIM v2 provisioning lets you synchronize user accounts and groups between TalentLMS and your identity provider (IdP) through the SCIM v2 API. It helps automate user and group management, saving time while centralizing user access. Common uses include creating new users in TalentLMS, activating or deactivating users, updating user profiles automatically, creating groups, and managing group memberships.
How to configure SCIM provisioning with Entra ID
We have broken down our guide into four sections:
A. Features
B. Requirements
C. Configuration
D. Known issues & troubleshooting
Let’s start!
A. Features
The supported provisioning features are:
- Push New Users: Users created in Entra ID are automatically added to TalentLMS.
- Push Profile Updates: Updates made to user profiles through Entra ID are synced to TalentLMS.
- Push User Deactivation/Activation: Deactivating a user or revoking their access to the application through Entra ID deactivates the user in TalentLMS. User activation is also supported.
- Push New Groups: Groups assigned to the TalentLMS enterprise application in Entra ID are automatically created in TalentLMS if they don't already exist.
- Push Group Memberships: Users are automatically added to or removed from TalentLMS groups based on their group memberships in Entra ID.
B. Requirements
To configure provisioning for TalentLMS, you first need to configure SSO with TalentLMS. To do that:
1. Sign in to your TalentLMS account as Administrator, go to Account & Settings > Users tab.
2. Click Single Sign-on (SSO) (1). Go to this article to find the values for the required fields. In the same article, follow the instructions in Section B for configuring a custom App in Entra ID (Azure AD).
3. Click Save and check your configuration (2). You will be prompted to log in to Entra (Azure) and will then be redirected to TalentLMS, where you can confirm that all the required user attribute/value pairs (e.g., username/TargetedID, user email) are returned from Entra ID (Azure AD).
4. Before returning to your Entra ID custom app page, check Enable SCIM v2 user provisioning (3) and, if you wish to synchronize groups, check Enable SCIM v2 group provisioning (4). Then, note down the provided SCIM key.
C. Configuration
To configure provisioning for TalentLMS using a custom Entra app, follow these steps:
1. Sign in to your Entra ID dashboard, go to the Enterprise applications, and from the top menu, click New application.
2. Click Create your own application, give it a name, select Integrate any other application you don't find in the gallery, and click Create.
3. Click Provision from the left-side menu and then Get started.
4. For Provision mode, select Automatic.
On Admin Credentials, fill the 2 available fields as follows:
- Tenant URL (1): https://yourdomain.talentlms.com/api/scim2. Replace yourdomain with your actual TalentLMS domain name. If you have mapped a custom domain name for your TalentLMS portal, use the custom domain name instead.
- Secret Token (2): Paste the SCIM Key as shown in the TalentLMS SSO form.
5. Click Test connection and, if successful, click Save.
| Note: You can setup custom mapping to send a value from user profiles in EntraID (AzureAD) to TalentLMS for assigning user-types and timezone. For example, to sync user-type from Entra (Azure) to TalentLMS via SCIM, the custom attribute mapping must have the Target Attribute as userType. |
D. Known issues & troubleshooting
Before you start using your EntraID (Azure AD)-enabled user provisioning service, take a look at these important notes:
- When the “Time zone” and “User type” attributes are not defined for a specific user, then their TalentLMS user account is assigned the default values. To customize the time zone, go to Home > Account & Settings > Basic settings > Locale. The default user type can be configured from Home > Account & Settings > Users. Default values for each branch can be configured from the branch homepage by the branch admin.
- When you delete a provisioned user account in TalentLMS, you must make sure the account is deleted permanently. That way, when creating a new user through user provisioning, you avoid getting an error message that their email is not unique. For more on deleting user accounts permanently, see this article.
- When configuring SCIM group provisioning for a branch, existing TalentLMS groups must already be associated with that branch in the portal to be matched. Otherwise, Entra ID creates a new group during provisioning because the existing group isn't returned by the branch SCIM endpoint.
- If group membership provisioning fails, navigate to Enterprise applications > select your custom TalentLMS application, and go to Provisioning > Attribute mapping > Provision Microsoft Entra ID Groups. Delete the External ID attribute mapping, click Save, and run provisioning again.
- When trying to push a user to your TalentLMS domain through the SCIM v2 API, you may get the following error message: "A user with the same email address already exists." This could mean two things:
A. There’s already a TalentLMS user account for the same user registered with that email address, but the username is different from the one pushed by Entra ID. In that case, the username matching fails due to the email address not being unique, so TalentLMS tries to create a new user account. The issue is resolved by changing the user’s username either in Entra ID or in TalentLMS to match the other one.
B. You have recently deleted a TalentLMS user that was registered with that same email address. In that case, the new user’s email is not recognized as unique because the old user isn’t permanently deleted (i.e., TalentLMS doesn’t remove users permanently at first delete so that you can restore a user if they’ve been deleted accidentally). The issue is resolved by permanently deleting the user who has the same email. For more on deleting users permanently, see this article.