figma guide
Designing SCIM and directory sync UI in Figma: provisioning, groups, and IdP handoff
Design SCIM and directory sync UI in Figma with provisioning setup, group mapping, sync status, deprovisioning rules, and Dev Mode specs for enterprise identity management.
- Published
- Updated
- Jul 11, 2026
- Read time
- 6 min
- Level
- Intermediate
Quick answer
SCIM (System for Cross-domain Identity Management) lets an identity provider (Okta, Azure AD, Google Workspace) automatically create, update, and deactivate users in your product—usually under Organization → Provisioning, Security → Directory sync, or SSO → SCIM settings. Design a setup wizard with base URL, bearer token, and test connection; a sync status dashboard showing last sync, errors, and pending changes; group-to-role mapping when IdP groups drive app roles; and clear deprovisioning behavior (suspend vs delete vs remove access). When SCIM is active, member CRUD in team roles becomes read-only for synced users. Pair with SSO setup and log provisioning events to audit activity. Start from the Figma guides hub and use Dev Mode handoff for SCIM attribute and role enum specs.
Who this is for
- Product designers building enterprise admin settings for B2B SaaS, design tools, and workforce platforms.
- Design system teams separating manual invite flows from IdP-managed provisioning without duplicating member list components.
- Engineers implementing SCIM 2.0
/Usersand/Groupsendpoints, bearer token auth, and conflict resolution with manual members.
Manual invites vs SCIM provisioning
| Model | Who creates users | Best for | UI implication |
|---|---|---|---|
| Manual invite | Admin sends email invite | Small teams, self-serve | Full CRUD in member list |
| SSO only (JIT) | User signs in via IdP; account created on first login | Mid-market | Minimal provisioning UI |
| SCIM push | IdP pushes users/groups before login | Enterprise, compliance | Read-only synced members |
| Hybrid | SCIM + manual guests | Agencies, external collaborators | Clear “Synced” vs “Local” badges |
Verdict: when SCIM is enabled, disable or hide manual invite for domains under IdP control. Show a banner: “Members are managed by your identity provider” with link to IdP admin docs and SSO settings.
SCIM setup wizard
| Step | UI | Validation |
|---|---|---|
| 1. Prerequisites | Checklist: SSO enabled, verified domain | Block if domain unverified |
| 2. Base URL | Read-only field + copy button | https://api.yourapp.com/scim/v2 |
| 3. Bearer token | Generate token + one-time reveal | Same pattern as API keys |
| 4. IdP instructions | Tabs: Okta, Azure AD, Google, Generic | Link to vendor docs |
| 5. Test connection | ”Send test user” or IdP-side test | Success / failure with error code |
| 6. Sync options | Deprovision behavior, group sync toggle | Required selections |
| 7. Done | Summary + link to sync dashboard |
Token reveal screen (never show token again after dismiss):
┌─────────────────────────────────────────────┐
│ SCIM bearer token │
│ Paste this into your IdP provisioning app. │
│ ┌─────────────────────────────────────┐ │
│ │ scim_xxxxxxxxxxxxxxxxxxxxxxxx │ 📋 │
│ └─────────────────────────────────────┘ │
│ ☐ I have stored this token securely │
│ [ Test connection ] [ Done ] │
└─────────────────────────────────────────────┘
Offer Regenerate token in settings with confirmation—warn that IdP config must be updated.
Sync status dashboard
| Widget | Content | When to show |
|---|---|---|
| Connection status | Connected / Error / Not configured | Always |
| Last sync | Relative time + user count delta | After first sync |
| Pending changes | +3 users, -1 user, 2 group updates | During sync window |
| Error log | Failed operations with SCIM error detail | When errors > 0 |
| Manual override warning | ”12 users not synced—local accounts” | Hybrid tenants |
ScimSyncDashboard
├── StatusCard (connected | error | paused)
├── LastSyncMeta
├── UserCountSummary (+added / ~updated / -removed)
├── GroupMappingSummary (if enabled)
├── ErrorLogTable (expandable rows)
└── Actions: Pause sync, View full log, Re-test connection
Link each error row to remediation: invalid email, duplicate externalId, role mapping conflict.
Group-to-role mapping
When IdP groups map to app roles (Admin, Member, Viewer):
| UI element | Spec | Notes |
|---|---|---|
| IdP group name | Read-only from last sync | Engineering-Designers |
| App role | Dropdown | Maps to RBAC roles |
| Default role | For users with no group match | Usually Member or Viewer |
| Unmapped groups | Warning list | ”3 groups not mapped—users get default role” |
Verdict: show mapping as a two-column table (IdP group → App role), not nested accordions. Enterprise admins scan this during rollout.
Deprovisioning behavior
| Option | What happens | UI label | Best for |
|---|---|---|---|
| Suspend | Account disabled; data retained | ”Deactivate user” | Compliance, rehire |
| Remove access | User removed from org; account may persist | ”Remove from workspace” | Seat billing |
| Delete | Hard delete user and data | ”Delete user and data” | Strict data policies |
Require explicit selection during setup—do not default silently. Show consequence copy: “Suspended users cannot sign in but appear in audit logs.”
Log all deprovision events to security activity with actor = SCIM and externalId.
Member list integration
When SCIM is active, adapt the team member row:
| State | UI treatment |
|---|---|
| SCIM-managed | ”Synced from Okta” label; disable role dropdown or show read-only |
| Local / guest | Normal editable row; badge “Local account” |
| Pending SCIM | User in IdP but not yet synced; rare—show “Provisioning…” |
| Deprovisioned | Grayed row with “Deactivated by IdP” |
Do not show Remove member for SCIM users—admin must deprovision in IdP. Tooltip: “Manage this user in your identity provider.”
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Manual invite still enabled under SCIM | Duplicate users, role conflicts | Domain-level invite lock |
| Token shown twice | Security leak | One-time reveal + regenerate only |
| No deprovision choice | Wrong data retention | Explicit setup step |
| Group mapping buried | Wrong roles at scale | Prominent mapping table |
| Sync errors as toast only | IT misses failures | Persistent error log + email to admin |
| SCIM users editable like local | Changes overwritten on next sync | Read-only + managed label |
| No audit trail for SCIM | Compliance gap | Log create/update/deactivate |
| Test connection fake success | Broken prod rollout | Real SCIM GET /Users test |
Recommended workflow
- Confirm SSO and verified domain are live before SCIM wizard.
- Design setup wizard with token reveal and IdP-specific tabs.
- Build sync dashboard with status, last sync, and error log.
- Add group-to-role mapping table linked to RBAC roles.
- Define deprovisioning options with clear consequence copy.
- Adapt member list for SCIM-managed vs local users.
- Wire audit events for all provisioning lifecycle changes.
- Prototype error states: invalid schema, rate limit, token expired.
FAQ
SCIM vs SSO—do I need both?
Usually yes for enterprise. SSO handles authentication; SCIM handles user lifecycle (create, update, deactivate) before and after login. JIT-only SSO works for smaller deals; SCIM is expected at 100+ seats.
Should guests and contractors use SCIM?
Often no. Use local invites or resource-level share for external collaborators. Show them as a separate list or badge so they are not seat-counted incorrectly.
What if IdP sends duplicate emails?
Show conflict in error log with resolution: merge by externalId, skip, or notify admin. Do not silently overwrite without audit entry.
Pause sync temporarily?
Yes—for migrations. Paused state should block IdP pushes but not SSO login for existing users. Show “Sync paused since [date]” banner.
SCIM for multi-workspace products?
Per-organization token or workspace-scoped mapping in enterprise UI. Document whether one IdP app serves all workspaces or one per workspace.
Next steps
- Design SSO and enterprise login UI in Figma — authentication path before SCIM users sign in
- Design team member roles and permissions UI in Figma — RBAC roles that group mapping targets
- Design audit log and security activity UI in Figma — provisioning and deprovision events
- Design API keys and personal access tokens UI in Figma — same one-time secret reveal pattern
- Design organization billing and seat management UI in Figma — how SCIM seat counts affect billing
§ Keep reading