LinkTime
Log inGet Started

SCIM Provisioning

Automatically provision and deprovision LinkTime users from your Identity Provider — no manual invites, no stale accounts.

Overview

SCIM (System for Cross-domain Identity Management) is an industry standard protocol that lets your company's user directory — managed through an Identity Provider (IdP) like Okta, Azure AD, or Google Workspace — automatically push user changes to the apps your team uses.

In practice, this means: when your IT admin adds a new hire to your company directory, that person automatically gets a LinkTime account. When someone leaves and is removed from the directory, their LinkTime access is revoked instantly — no manual work, no forgotten accounts.

Without SCIM, org admins have to manually invite each user and remember to remove them when they leave. With SCIM, your IdP handles it all. This is especially important for security — deprovisioned users can't access scheduling data or accept meetings on behalf of your company.

  • Automatic onboarding — New hires in your IdP get a LinkTime account without any manual invitation
  • Instant offboarding — Removing a user from your IdP deprovisions their LinkTime account and cancels upcoming bookings
  • Email sync — Email address changes in your IdP propagate to LinkTime automatically
  • SCIM 2.0 standard — Works with any compliant IdP that supports HTTP Header Bearer authentication

Business plan required — SCIM provisioning is an enterprise feature available on the Business plan. Booking history and user records are preserved after deprovisioning, so your audit trail stays intact.

Requirements

Before configuring SCIM, make sure you have:

  • Business plan — SCIM is not available on Free or Pro plans
  • Organization admin role — You must be the organization OWNER or have ADMIN role to generate a SCIM token
  • An Identity Provider — Okta, Azure AD (Entra ID), or any other SCIM 2.0-compliant IdP

Generating a Token

LinkTime uses a long-lived Bearer token to authenticate SCIM requests from your IdP. Generate one from your organization settings:

  1. 1Go to your Dashboard and navigate to Organization → SCIM
  2. 2Click Generate Token
  3. 3Copy the token immediately — it is shown only once and cannot be retrieved later
  4. 4Store the token securely (e.g., in a password manager) — you will paste it into your IdP

Lost your token? If you lose the token, generate a new one. The old token is invalidated immediately — update your IdP configuration with the new token to restore provisioning.

SCIM Base URL

All SCIM requests must use the following base URL. Enter this in your IdP's SCIM configuration:

https://linktime.io/api/scim/v2

The full Users endpoint (used by your IdP) is https://linktime.io/api/scim/v2/Users. Discovery endpoints at /ServiceProviderConfig and /Schemas describe the server's capabilities to compliant IdPs.

Okta Setup

Follow these steps to configure automatic provisioning from Okta:

  1. 1
    Create a new SCIM app

    In the Okta Admin Console, go to Applications → Applications → Browse App Catalog and search for SCIM 2.0 Test App (Header Auth). Click Add Integration.

  2. 2
    Set the SCIM Base URL

    In the Provisioning tab, go to Integration and set the SCIM connector base URL to:

    https://linktime.io/api/scim/v2
  3. 3
    Set the unique identifier field

    Set Unique identifier field for users to userName.

  4. 4
    Configure authentication

    Select HTTP Header as the authentication mode. In the Authorization field, enter your SCIM token (the full token string, without the word “Bearer”). Okta will prefix it automatically.

  5. 5
    Test the connection

    Click Test Connector Configuration. A success message confirms LinkTime can be reached and the token is valid.

  6. 6
    Enable provisioning actions

    In the To App section, enable Create Users and Deactivate Users. Optionally enable Update User Attributes to sync email changes.

  7. 7
    Assign users or groups

    Go to the Assignments tab and assign the relevant users or groups. Assigned users will be provisioned in LinkTime immediately.

Azure AD Setup

Follow these steps to configure automatic provisioning from Azure Active Directory (Entra ID):

  1. 1
    Create an Enterprise Application

    In the Azure Portal, go to Azure Active Directory → Enterprise Applications → New Application. Select Create your own application, name it “LinkTime”, and choose Integrate any other application you don't find in the gallery.

  2. 2
    Open Provisioning settings

    In your new application, go to Provisioning → Get started and set the Provisioning Mode to Automatic.

  3. 3
    Enter Tenant URL and Secret Token

    Under Admin Credentials, set:

    • Tenant URL: https://linktime.io/api/scim/v2
    • Secret Token: paste your SCIM token
  4. 4
    Test the connection

    Click Test Connection. Azure will verify that it can reach the SCIM endpoint and that the token is valid. A green checkmark confirms success.

  5. 5
    Configure attribute mappings

    Under Mappings, open Provision Azure Active Directory Users. The default mappings work well. At minimum, confirm that userPrincipalName maps to userName and mail maps to emails[type eq "work"].value.

  6. 6
    Set scope and save

    Under Settings, set Scope to Sync only assigned users and groups. Click Save.

  7. 7
    Assign users

    Go to Users and groups and add the users or groups you want to provision. Azure will sync them on the next provisioning cycle (every ~40 minutes).

What Gets Synced

Here is exactly what happens for each provisioning action:

New user provisioned

  • A new LinkTime account is created with the user's email address
  • The user is added to your organization as a MEMBER
  • The user can sign in immediately using your IdP via SSO

User deprovisioned (removed from IdP)

  • Upcoming bookings are cancelled and invitees are notified
  • The user is removed from your organization
  • The user account is deactivated — they can no longer sign in
  • The user record is preserved — past bookings and history remain intact for audit purposes

Email address changed

  • The user's email is updated in LinkTime to match the new address in your IdP

Supported Filters

LinkTime's SCIM implementation supports a subset of the SCIM filter grammar used by IdPs when checking if a user already exists before creating them.

OperatorMeaningSupported Attributes
eqEqualsuserName, externalId, emails.value, displayName
coContainsuserName, emails.value, displayName
swStarts withuserName, emails.value, displayName

Unsupported filter expressions return an empty result list (not an error), so your IdP will simply see no matching users.

API Endpoints

These are the SCIM 2.0 endpoints exposed by LinkTime. Your IdP calls these automatically — you do not need to interact with them directly.

MethodEndpointPurpose
GET/UsersList or search users (supports filter, startIndex, count)
POST/UsersCreate a new user (provision)
GET/Users/{id}Retrieve a specific user by ID
PUT/Users/{id}Replace a user's attributes (full update)
PATCH/Users/{id}Update specific attributes or deactivate a user
DELETE/Users/{id}Deprovision a user
GET/ServiceProviderConfigDiscovery: supported features and authentication schemes
GET/SchemasDiscovery: SCIM schema definitions

All endpoints require a valid Authorization: Bearer <token> header. Requests with a missing or invalid token receive a 401 Unauthorized response.

Troubleshooting

Test connection returns 401 Unauthorized

The SCIM token is invalid or missing. Go to Organization → SCIM in your dashboard, generate a new token, and update your IdP configuration with the new token. Make sure you copied the full token string without any leading or trailing spaces.

Test connection returns 403 Forbidden

Your organization is not on the Business plan, or SCIM is not enabled for your account. Upgrade to Business at linktime.io/pricing to unlock SCIM provisioning.

Users are not being provisioned after assignment

For Azure AD: provisioning cycles run approximately every 40 minutes. You can trigger an on-demand sync from Provisioning → Provision on demand. For Okta: check the application's Provisioning → Tasks tab for error messages.

SCIM Token option is not visible

Only organization OWNER and ADMIN roles can see and manage the SCIM token. Ask your organization owner to generate the token and configure the IdP, or ask them to grant you admin access first.

A deprovisioned user can still sign in

If your organization uses SSO, the user's IdP session may still be active. Revoke the session in your IdP as well. LinkTime will reject new sign-in attempts from deprovisioned users as soon as the SCIM PATCH or DELETE request is processed.

← Back to Documentation