figma guide

Designing SCIM and directory sync UI in Figma: provisioning, groups, and IdP handoff

Design SCIM and directory sync UI in Figma with provisioning setup, group mapping, sync status, deprovisioning rules, and Dev Mode specs for enterprise identity management.

Published
Updated
Jul 11, 2026
Read time
6 min
Level
Intermediate

Quick answer

SCIM (System for Cross-domain Identity Management) lets an identity provider (Okta, Azure AD, Google Workspace) automatically create, update, and deactivate users in your product—usually under Organization → Provisioning, Security → Directory sync, or SSO → SCIM settings. Design a setup wizard with base URL, bearer token, and test connection; a sync status dashboard showing last sync, errors, and pending changes; group-to-role mapping when IdP groups drive app roles; and clear deprovisioning behavior (suspend vs delete vs remove access). When SCIM is active, member CRUD in team roles becomes read-only for synced users. Pair with SSO setup and log provisioning events to audit activity. Start from the Figma guides hub and use Dev Mode handoff for SCIM attribute and role enum specs.


Who this is for

  • Product designers building enterprise admin settings for B2B SaaS, design tools, and workforce platforms.
  • Design system teams separating manual invite flows from IdP-managed provisioning without duplicating member list components.
  • Engineers implementing SCIM 2.0 /Users and /Groups endpoints, bearer token auth, and conflict resolution with manual members.

Manual invites vs SCIM provisioning

ModelWho creates usersBest forUI implication
Manual inviteAdmin sends email inviteSmall teams, self-serveFull CRUD in member list
SSO only (JIT)User signs in via IdP; account created on first loginMid-marketMinimal provisioning UI
SCIM pushIdP pushes users/groups before loginEnterprise, complianceRead-only synced members
HybridSCIM + manual guestsAgencies, external collaboratorsClear “Synced” vs “Local” badges

Verdict: when SCIM is enabled, disable or hide manual invite for domains under IdP control. Show a banner: “Members are managed by your identity provider” with link to IdP admin docs and SSO settings.


SCIM setup wizard

StepUIValidation
1. PrerequisitesChecklist: SSO enabled, verified domainBlock if domain unverified
2. Base URLRead-only field + copy buttonhttps://api.yourapp.com/scim/v2
3. Bearer tokenGenerate token + one-time revealSame pattern as API keys
4. IdP instructionsTabs: Okta, Azure AD, Google, GenericLink to vendor docs
5. Test connection”Send test user” or IdP-side testSuccess / failure with error code
6. Sync optionsDeprovision behavior, group sync toggleRequired selections
7. DoneSummary + link to sync dashboard

Token reveal screen (never show token again after dismiss):

┌─────────────────────────────────────────────┐
│  SCIM bearer token                          │
│  Paste this into your IdP provisioning app. │
│  ┌─────────────────────────────────────┐    │
│  │ scim_xxxxxxxxxxxxxxxxxxxxxxxx       │ 📋 │
│  └─────────────────────────────────────┘    │
│  ☐ I have stored this token securely        │
│  [ Test connection ]  [ Done ]              │
└─────────────────────────────────────────────┘

Offer Regenerate token in settings with confirmation—warn that IdP config must be updated.


Sync status dashboard

WidgetContentWhen to show
Connection statusConnected / Error / Not configuredAlways
Last syncRelative time + user count deltaAfter first sync
Pending changes+3 users, -1 user, 2 group updatesDuring sync window
Error logFailed operations with SCIM error detailWhen errors > 0
Manual override warning”12 users not synced—local accounts”Hybrid tenants
ScimSyncDashboard
├── StatusCard (connected | error | paused)
├── LastSyncMeta
├── UserCountSummary (+added / ~updated / -removed)
├── GroupMappingSummary (if enabled)
├── ErrorLogTable (expandable rows)
└── Actions: Pause sync, View full log, Re-test connection

Link each error row to remediation: invalid email, duplicate externalId, role mapping conflict.


Group-to-role mapping

When IdP groups map to app roles (Admin, Member, Viewer):

UI elementSpecNotes
IdP group nameRead-only from last syncEngineering-Designers
App roleDropdownMaps to RBAC roles
Default roleFor users with no group matchUsually Member or Viewer
Unmapped groupsWarning list”3 groups not mapped—users get default role”

Verdict: show mapping as a two-column table (IdP group → App role), not nested accordions. Enterprise admins scan this during rollout.


Deprovisioning behavior

OptionWhat happensUI labelBest for
SuspendAccount disabled; data retained”Deactivate user”Compliance, rehire
Remove accessUser removed from org; account may persist”Remove from workspace”Seat billing
DeleteHard delete user and data”Delete user and data”Strict data policies

Require explicit selection during setup—do not default silently. Show consequence copy: “Suspended users cannot sign in but appear in audit logs.”

Log all deprovision events to security activity with actor = SCIM and externalId.


Member list integration

When SCIM is active, adapt the team member row:

StateUI treatment
SCIM-managed”Synced from Okta” label; disable role dropdown or show read-only
Local / guestNormal editable row; badge “Local account”
Pending SCIMUser in IdP but not yet synced; rare—show “Provisioning…”
DeprovisionedGrayed row with “Deactivated by IdP”

Do not show Remove member for SCIM users—admin must deprovision in IdP. Tooltip: “Manage this user in your identity provider.”


Common mistakes

MistakeWhy it hurtsFix
Manual invite still enabled under SCIMDuplicate users, role conflictsDomain-level invite lock
Token shown twiceSecurity leakOne-time reveal + regenerate only
No deprovision choiceWrong data retentionExplicit setup step
Group mapping buriedWrong roles at scaleProminent mapping table
Sync errors as toast onlyIT misses failuresPersistent error log + email to admin
SCIM users editable like localChanges overwritten on next syncRead-only + managed label
No audit trail for SCIMCompliance gapLog create/update/deactivate
Test connection fake successBroken prod rolloutReal SCIM GET /Users test

  1. Confirm SSO and verified domain are live before SCIM wizard.
  2. Design setup wizard with token reveal and IdP-specific tabs.
  3. Build sync dashboard with status, last sync, and error log.
  4. Add group-to-role mapping table linked to RBAC roles.
  5. Define deprovisioning options with clear consequence copy.
  6. Adapt member list for SCIM-managed vs local users.
  7. Wire audit events for all provisioning lifecycle changes.
  8. Prototype error states: invalid schema, rate limit, token expired.

FAQ

SCIM vs SSO—do I need both?

Usually yes for enterprise. SSO handles authentication; SCIM handles user lifecycle (create, update, deactivate) before and after login. JIT-only SSO works for smaller deals; SCIM is expected at 100+ seats.

Should guests and contractors use SCIM?

Often no. Use local invites or resource-level share for external collaborators. Show them as a separate list or badge so they are not seat-counted incorrectly.

What if IdP sends duplicate emails?

Show conflict in error log with resolution: merge by externalId, skip, or notify admin. Do not silently overwrite without audit entry.

Pause sync temporarily?

Yes—for migrations. Paused state should block IdP pushes but not SSO login for existing users. Show “Sync paused since [date]” banner.

SCIM for multi-workspace products?

Per-organization token or workspace-scoped mapping in enterprise UI. Document whether one IdP app serves all workspaces or one per workspace.


Next steps

Share on X

§ Keep reading

Related guides.