How to set up SCIM user provisioning

read
Last updated at:

You will learn

Learn how to set up a system for cross-domain identity management (SCIM) user provisioning in Klaviyo.

This feature is currently in limited availability. If you don't see it in your account, stay tuned!

Before you begin

SCIM is only available for Klaviyo One users.

Note that SCIM provisioning is often an add-on for IdPs (e.g., they require a separate SCIM plan in addition to an SSO plan). If you don't see the following steps in your IdP, please confirm you have the correct plan. 

Turn on SCIM user provisioning

  1. Click your organization name in the lower left corner.
  2. Click Settings > Security.
    Security tab in Klaviyo when SSO is active
  3. Check the SCIM Provisioning box. 
  4. Copy or download the access key, including the prefix Klaviyo-API-Key.
    Note that this key is only shown once, so make sure you can access it. If copying it, paste it somewhere secure immediately.
    Example of an access key
  5. Click Done
  6. Copy the base URL and paste it somewhere, preferably where you stored the access key.

Next, you must go to your SSO provider to finish the process. This process varies by provider. Below, we have instructions for OKTA and One Login. 

OKTA
    1. Navigate to Application > Settings
    2. Check that: 
      • Application username format is set to Email.
      • Update application username on is set to Create and update.
        SCIM connection page and settings
    3. Go to the General and click Edit.
    4. Under Provisioning, select SCIM
    5. Click Save
    6. In SCIM connector base URL, paste the base URL from Klaviyo.
    7. For Unique identifier field for users, type in “username.” 
    8. Under Supported provisioning actions, check the following boxes: 
      • Import New Users and Profile Updates
      • Push New Users
      • Push Profile Updates
        SCIM connection page and settings
    9. Change the Authentication Mode option to HTTP Header. 
    10. Paste in the access key under Authorization
    11. API Token field, paste in the access key.
    12. Click Test Connector Configuration
    13. Click Save.
    14. Refresh the page.
    15. Recommended: check the boxes for the following features:
      • Create Users.
      • Update User Attribute.
      • Deactivate Users.
    16. Click Save.
    17. Select To App on the left. 
    18. Click Go to Profile Editor
    19. Click Add Attribute
    20. Under Display name, type in Role. 
    21. Type “role” for Display name, Variable name, and External name.
    22. In External namespace, enter the following:
      urn:ietf:params:scim:schemas:core:2.0:User
    23. Check the box for Define enumerated list of values.
    24. Add in the roles and values; valid role values are as follows:
      • admin
      • manager
      • analyst
      • campaign_coordinator
      • content_creator
      • support
    25. Enter in the attribute members and values.
    26. Check Attribute required
    27. Choose the attribute type.
    28. Click Save
    29. Navigate to Applications
    30. Select your SCIM application.
    31. Click Assign to assign users to their roles.
    32. Click Save.
One Login
  1. In the Admin Portal, click Applications.
  2. Click Add App.
  3. Search “scim.”
  4. Choose SCIM Provisioner with SAML (SCIM v2 Core).
  5. Optional: Rename the connection.
  6. In Configuration, copy and paste the URL from Klaviyo.
  7. In Configuration under SCIM Bearer Token, paste your SCIM access key.
  8. Insert the following under SCIM JSON Template
    {
       "schemas":[
          "urn:ietf:params:scim:schemas:core:2.0:User"
       ],
       "userName":"{$user.email}",
       "name":{
          "givenName":"{$user.firstname}",
          "familyName":"{$user.lastname}"
       },
       "role":"{$parameters.role}",
       "emails":[
          {
             "value":"{$user.email}"
          }
       ]
    }
    
  9. Under API Status, click Enable
  10. Click Save.
  11. Navigate to Parameters on the left sidebar.
  12. Click the plus button.
  13. Under Field name, type “role.” Valid role values are as follows:
    • admin
    • manager
    • analyst
    • campaign_coordinator
    • content_creator
    • support
  14. Check the Include in User Provisioning box.
  15. Click Save to proceed to the next page in the modal. 
  16. For Value, click No default.
  17. Click Save in the New Field modal.
  18. Click Save in the upper right.
  19. Check the Enable provisioning checkbox.
  20. Do not uncheck the Create user, Delete user, or Update user boxes.
    Credential details section with the correct settings
  21. Click Save.
Azure
  1. Log into Azure.
  2. Using the search bar, search for "Azure Active Directory."
  3. There, click Enterprise Applications on the left side.
  4. Select the plus (+) button so that you can add a new application.
  5. Click Create your own application.
  6. When prompted, provide a name for your application.
  7. Select Integrate any other application you don't find in the gallery (Non-gallery).
  8. Wait for Azure to create your application. This will take a few seconds.
  9. Once you have created your SCIM integration app, select it.
  10. Click Provisioning > Get Started .
  11. In the field named Provisioning Mode, select automatic.
  12. Ignore the section named On-Premises Connectivity.
  13. Go to the Admin Credentials.
  14. Paste the SCIM URL from Klaviyo into the Tenant URL field.
  15. Paste the SCIM API key into the em>Secret Tokenfield. Note that this token should be pasted in without any prefixes (e.g., don’t include "Bearer" or "Klaviyo-API-Key")
  16. Test the connection.
  17. Once your connection has been verified, click Provisioning again.
  18. Select Start Provisioning.
Now, Azure will begin provisioning your users on a schedule. For more insight into which users it has provisioned, select View provisioning logs.

Additional resources

x
Was this article helpful?
1 out of 1 found this helpful