Setting Up SCIM Provisioning for Span via WorkOS

Last updated: April 8, 2026

Overview

Span’s SCIM integration enables automatic user provisioning and deprovisioning via your identity provider (Okta, Azure AD, Google Workspace, etc.) using WorkOS.

When users are added to a designated group in your identity provider, access to Span accounts are provisioned. When users are removed, their access is automatically revoked.

NOTE: SCIM does not create new users. The users must exist in Span first. SCIM just controls account access.

This guide covers SCIM access provisioning only. HRIS sync and team/directory sync are configured separately.

What SCIM Does (and Doesn’t Do)

SCIM handles:

  • Granting baseline access automatically

  • Deactivating Span access when users are removed

SCIM does not handle:

  • Creating new Span user accounts

  • Employee profile data (title, department, manager)

  • Team structure or hierarchy

  • Permission assignment from the IdP side

Those are handled inside Span via HRIS sync and permission rules.

Prerequisites

Before starting, you’ll need:

  • An active Span organization

  • An identity provider that supports SCIM (Okta, Azure AD, Google Workspace)

  • A WorkOS organization connected to Span

  • Admin access in your identity provider

Setup Steps

1. Get SCIM Credentials from Span

WorkOS will provide you with the following:

  • SCIM Base URL

  • Bearer Token (secret — must be shared securely)

  • Unique Identifier Field (email)

These are required to configure provisioning in your identity provider.

🔐 Security note: The bearer token should always be shared via a secure method (e.g., 1Password, secure vault), not Slack or email.

2. Configure SCIM in Your Identity Provider (Okta Example)

A. Open the Span Application

  1. Go to Applications → Span

  2. Click Edit

  3. Under Provisioning, set:

    • Provisioning TypeSCIM

  4. Save

This will reveal the Provisioning tab.

B. Configure SCIM Connection Settings

In Provisioning → Integration:

  • SCIM Connector Base URL

    → Paste the Base URL provided by Span

  • Authentication Mode

    HTTP Header

  • Authorization

    Bearer <token>

    (Paste the bearer token provided by Span)

  • Unique Identifier

    email

Save your changes.

C. Enable Supported Actions

In Provisioning → To App, enable:

  • Create Users

  • Update User Attributes

  • Deactivate Users

Deactivation covers user removal / offboarding.

Group push is not required for Span SCIM.

3. Assign Users to the Span App

Users must be assigned to the Span app in your identity provider.

You can do this by:

  • Assigning individuals directly, or

  • Assigning a group (recommended)

Once assigned:

  • Users will be provisioned into Span automatically

  • Removing assignment will deprovision access

4. Enable SCIM on the Span Side

After IdP configuration is complete:

  • Contact your Span admin or support team

  • Span will run a one-time enablement step to activate SCIM for your organization

Once enabled, provisioning and deprovisioning are fully automated.

5. Test Provisioning

Recommended test flow:

  1. Assign a user to the Span app (i.e. a real person who already exists in Span)

  2. Confirm:

    • User appears in Span

    • User can log in

  3. Remove the user assignment

  4. Confirm:

    • Span access is revoked

Sync Timing

  • SCIM changes are processed automatically

  • Most updates propagate within minutes (provider-dependent)

Permissions in Span

Baseline Permissions

Permissions groups are managed manually today, they are not managed by SCIM.

Advanced Permissions (Recommended)

Additional permissions (Admin, Team Lead, Finance, etc.) are managed inside Span, not from the identity provider.

You can configure permission rules such as:

  • Department = Finance → Finance group

  • Title contains “Manager” → Team Lead group

  • Leadership roles → Admin group

These rules update automatically as employee data changes.

Common Gotchas

  • Email is the unique identifier

    If a user’s email changes, Span will treat it as a new user.

  • SCIM does not sync teams or hierarchy

  • Permissions cannot be controlled from Okta groups

  • HRIS sync is separate from SCIM provisioning

Need Help?

If you need:

  • SCIM credentials

  • Enablement confirmation

  • Help testing provisioning

  • Guidance on permission rules

Contact your Span team and we’ll walk through it with you live.