User provisioning & deprovisioning
With SCIM functionality, admins of Enterprise Organizations can quickly and easily provision and deprovision users in Asana from their identity management provider. Your Workspace’s API endpoint can also be used to configure with SCIM. Your IT team can turn on this feature so Administrators can manage provisioning. SCIM provisioning allows Admins to:
- Create a new user
- Update a user's profile information
- Deactivate a user
Set up provisioning
To use SCIM provisioning, you’ll need to connect your Organization’s Asana account with one of our supported identity providers. Setup will vary according to the identity provider you use. Asana supports SCIM provisioning via:
- Microsoft Azure AD
- Google Workspace
Login to an Admin account on Asana, and navigate to the Admin Console menu by clicking on your profile picture in the top right, and clicking on Admin Console.
Navigate to the Apps tab.
Click Add service account.
Adding a Service Account will generate an API key, that you can use in the Provisioning tab in the Asana app within Okta.
In the API Token field, enter the token you received in your Service Accounts tab in Asana. Click Test API Credentials to verify that the token is set up correctly.
From the Provisioning tab, you can authorize Okta to:
- Import users
- Create Users
- Update User Attributes
- Deactivate Users
Once you've enabled the features you'd like to use on the Provisioning page, click the Import tab and reconcile the users detected in Asana with the users you have in your Okta domain. Import any Asana users that you’d like to create or assign Okta accounts for.
Administer the users assigned to Asana as you would with SAML. Users will be automatically kept in sync with the Asana members list.
Assigning the Asana app to users in Okta will create that user profile within Asana, and trigger the same behavior as if they had been invited to Asana. It's important to note this when informing users that they hav e been assigned the Asana app.
When creating or updating users, the users must have email addresses that correspond with the Asana Organization. Organization Guests will continue to be provisioned and deprovisioned, and managed within the Asana members tab only.
Learn how to configure SCIM provisioning using OneLogin here.
To enable SCIM functionality with non-natively integrated IdPs please check the necessary accepted attributes [here]. (https://developers.asana.com/docs/scim-endpoints)