Introduction
This guide provides step-by-step instructions for setting up System for Cross-domain Identity Management (SCIM) in Rhythms. SCIM is a key component of our enterprise-grade identity management framework, automating user provisioning and lifecycle management by syncing with your Identity Provider (IdP). This ensures seamless account creation and timely access revocation.
Beyond lifecycle management, SCIM also keeps core user profiles in Rhythms consistent with your IdP, synchronizing details like name and email. If your IdP is configured to hold more extensive user attributes (potentially by an upstream integration with your HRIS system), SCIM will sync this richer data, making it the primary method for maintaining comprehensive and up-to-date user profiles from a central source (your IdP).
Whether you’re an IT administrator configuring the system or a user benefiting from automated access, Rhythms delivers an efficient and secure experience. Follow this guide to implement SCIM for user lifecycle automation and setup comprehensive user profile data within Rhythms.
Note: Direct HRIS Sync for Supplemental Data If your HRIS isn't integrated with your IdP (preventing SCIM from syncing desired HRIS attributes through that channel), Rhythms offers an alternative: direct HRIS integration. This syncs supplemental attributes (e.g., division, job level) from your HRIS to enrich profiles, enhance reporting, or create inactive user accounts pre-populated with HRIS data. User activation remains managed by SCIM or manually.
SCIM Integration in Rhythms
SCIM is an open standard that automates user identity management between your Identity Provider (IdP) and Rhythms. When SCIM is enabled, Rhythms syncs with your IdP to:
Automate User Lifecycle: Automatically provision new user accounts in Rhythms when individuals are assigned to the application in your IdP. Access is also instantly revoked when they are unassigned from Rhythms in the IdP.
Synchronize User Profiles: Keep user profile information in Rhythms (such as name, email, and potentially richer attributes like department or job title) consistent with the data held in your IdP. If your IdP is configured to include detailed attributes (for instance, sourced from an HRIS), SCIM ensures this comprehensive profile data is reflected in Rhythms.
Benefits of SCIM:
Automated User Lifecycle Management: Reduces manual work for account creation, updates, and deactivation by syncing directly with your IdP.
Comprehensive and Consistent User Profiles:
Keeps all mapped user profile information in Rhythms (from core details like name and email to richer attributes such as department or job title) consistently updated based on your IdP.
If your IdP is configured to source data from your HRIS or contains other rich profile attributes, SCIM makes this detailed information available in Rhythms. This ensures profiles are comprehensive and reflect your central identity records.
Enhanced Security: Ensures prompt access revocation based on IdP status, minimizing security risks associated with outdated access.
Improved Data-Driven Insights (with enriched IdP data):
Enables enhanced filtering, reporting, and analysis within Rhythms (e.g., granular OKR segmentation) when detailed attributes like department, job title, or other HRIS-sourced data are synced from your IdP.
Provides better organizational context for OKRs and user activities by leveraging this comprehensive profile data from your IdP.
Data Consistency with Source of Truth (IdP): Ensures user attributes in Rhythms align with the information managed in your IdP, which can be your central source of truth for user identity and profile data (potentially including HRIS-sourced information).
Prerequisites
Before you begin:
You must be a Rhythms Administrator to access the admin interface and initiate SCIM setup.
You must be an IdP Administrator (e.g., an IT team member managing Okta or Entra ID or CyberArk) to configure your identity provider settings.
If you're not an IdP Administrator, you will need to coordinate with them to configure the IdP side of the SCIM connection. Rhythms can provide necessary details to facilitate this.
Your IdP must be supported (e.g., Okta, Microsoft Entra ID, CyberArk, Google Workspace). See the detailed guides or setup wizard for the full list.
Note: SCIM setup is powered by WorkOS. Role management (e.g., User, Admin, Owner) is handled within Rhythms and not controlled through SCIM.
How to Set Up SCIM
Follow these steps to configure SCIM in Rhythms:
Step 1: Access the Admin Interface
Log in to Rhythms as an admin using your credentials.
Navigate to the admin portal by clicking "Settings" in the main menu.
Select "Security" from the options.
Step 2: Select SCIM Setup
In the Security menu, locate the "Directory Sync (SCIM)" option.
Click "Setup" to begin the configuration process.
This will take you to the page to configure directory sync. Locate your directory provider, which is likely the same as your SSO provider, and click on the row. That will take you to a set of instructions for how to set up SCIM between Rhythms and your provider.
Step 3: Configure SCIM with Your IdP
For provider-specific instructions, refer to the setup interfaces in the wizard (e.g., for Google Workspace, Okta, Entra ID). Okta, Entra ID, and CyberArk wizard are provided below as references.
Okta Configuration wizard - Detailed instructions here
Entra ID Wizard
CyberArk Wizard
Follow the WorkOS-powered setup wizard and configure the connection in your identity provider. The setup wizard will guide you through: Generating SCIM credentials, Setting up user attribute mapping (see details below), Testing user synchronization, Enabling user provisioning and deprovisioning.
User Attribute Mapping Details:
Rhythms, via WorkOS, supports a set of standard SCIM profile fields that will be available for mapping from your IdP.
In addition to standard fields, you have the ability to map additional custom attributes defined in your IdP to corresponding custom fields in Rhythms user profiles.
Specific instructions for field mapping, including supported standard fields and how to configure custom mappings, will be provided within the setup wizard for your chosen IdP (e.g., Okta, Entra ID, CyberArk). See Okta SCIM setup article as a reference.
Note: Group synchronization capabilities will be added in a future release. Currently only users within the group is synchronized. Group data is not synchronized.
Once you’ve completed those instructions, your IdP directory will begin to sync with Rhythms servers. This may take some time, depending on how many accounts you have granted access to the Rhythms application in your IdP.
Testing the SCIM Configuration
After setup, verify that SCIM works correctly:
Create a test user in your IdP directory.
Assign the user to the Rhythms application in your IdP.
Verify the user is automatically provisioned in Rhythms (check the "Users" section in the admin portal).
Update the user's profile in your IdP (e.g., change their last name or a mapped department field).
Confirm the changes sync to Rhythms within a few minutes.
Remove the application assignment from the test user in your IdP.
Verify access is revoked in Rhythms (the user should no longer appear in the "Users" section).
Note: Users must be assigned to the Rhythms application in your IdP for SCIM provisioning to take effect. Simply creating a user in your directory without assignment won’t trigger provisioning.
User Experience with SCIM
Once SCIM is active:
User Provisioning: New users are automatically created in Rhythms when assigned to the application in your IdP, with their full mapped profile (including details like email, name, and any other attributes configured for synchronization from your IdP) synced.
Profile Management: User details update automatically in Rhythms when changed in your IdP directory, requiring no manual updates.
Access Control: Access is revoked immediately when users are unassigned from Rhythms in your IdP, ensuring security.
Login Experience: First-time users can log in immediately after being assigned, with no waiting period or manual activation needed (if SSO is also enabled).
Best Practices for SCIM Setup
Verify Attribute Mapping: Double-check that all desired user attributes (e.g., email, first/last name, department, job title, and any custom fields) are correctly mapped in the setup wizard to ensure comprehensive profile synchronization and avoid sync errors.
Start with a Test Group: Pilot SCIM with a small group of users to confirm provisioning and de-provisioning work as expected before enabling for all users.
Monitor Sync Delays: Be aware that initial directory sync may take time depending on the number of users; check the "Users" section in Rhythms to confirm completion.
Set Up Alerts in Your IdP: Configure your IdP to notify you of SCIM sync failures, allowing you to address issues like misconfigured mappings promptly.
Frequently Asked Questions (FAQ)
Q: Which IdPs are supported for SCIM in Rhythms?
A: Rhythms supports major providers like Okta, Microsoft Entra ID, CyberArk, and Google Workspace. Check the setup wizard for the full list. If your IdP isn’t supported, contact Rhythms support to explore options.
Q: What happens if I’m not an IdP Administrator?
A: Share the IdP admin details with Rhythms, and we’ll send the setup URL directly to your IdP Administrator to complete the configuration.
Q: Does SCIM manage roles in Rhythms?
A: No, SCIM handles user provisioning and profile sync (e.g., email, name). Role management (e.g., User, Admin, Owner) is configured within Rhythms via RBAC.
Q: How do I know if SCIM is working?
A: Test by assigning a user to Rhythms in your IdP, checking if they appear in Rhythms, updating their profile, and confirming sync. Then unassign them to verify access revocation.
Q: My HRIS system isn't connected to my IdP. How can I sync richer profile fields (like department or job title) into Rhythms?
A: SCIM syncs profile data that is available in your IdP. If desired HRIS attributes aren't in your IdP (e.g., because your HRIS isn't connected to it), we recommend first exploring options to enrich your IdP with this data. For alternative methods to sync supplemental HRIS data directly, please consult our "Enterprise User Management overview" documentation or contact Rhythms support.
Q: What should I set up after SCIM?
A: Ensure SSO is enabled for seamless logins and configure RBAC for role-based permissions. See the Enterprise Identity Management overview for more details.