:Harvey:Support

SCIM (System for Cross-domain Identity Management) Integration

Set up SCIM in Harvey to automate user provisioning, deprovisioning, and group-based access management through your organization’s identity provider.

Last updated: Mar 31, 2026

Overview

SCIM integration connects Harvey to your organization’s identity provider (IdP) so you can manage users and access from a single source of truth. Instead of updating accounts manually, you can automate provisioning, deprovisioning, and group-driven access changes as your directory changes.

Note: This feature is currently in early access for Microsoft Entra ID and Okta. Please contact your Customer Success Manager for early access.

With SCIM in Harvey, you can:

  • Automatically provision and deprovision users: Create, update, and deactivate user accounts directly from your Identity Provider. No more manual user management — changes in your IdP are automatically reflected in Harvey
  • Sync users and groups from your identity provider: Keep roles, permissions, and group memberships accurate and up to date automatically, ensuring users always have the right level of access
  • Map directory groups to Harvey roles and user groups: Automatically assign users to the right roles and groups based on your existing directory structure, making access management more consistent, scalable, and easier to govern across the firm
  • Keep access aligned with your organization’s current directory: Reflect user and group changes in Harvey as your directory changes, helping your firm maintain accurate permissions, strengthen security, and reduce manual upkeep

Prerequisites:

  • SSO (SAML) is configured and enabled for your workspace
  • SCIM is enabled for your workspace
  • You have admin access to configure identity settings

How to Use

Step 1: Enable SCIM in Harvey

In-app screenshot of Identity & Access page within Settings.
  1. Go to Settings → Identity & Access.
  2. Turn on the SCIM provisioning toggle.
  3. Click Setup SCIM.
  4. Select a default role for users who are not included in any mapped group.
  5. Copy the SCIM URL and SCIM token. You will use these in your identity provider.

Step 2: Connect with Identity Provider

In-app screenshot showing where the user can select their identity provider.

Microsoft Entra

Screenshot of Enterprise applications page in Microsoft Entra admin center.
  1. Sign in to the Microsoft Entra admin center.
  2. Go to Enterprise apps and select New application.
  3. Select Create your own application.
  4. Enter an application name, such as Harvey.ai, then choose Integrate any other application you don’t find in the gallery (Non-gallery).
  5. Open the new application and go to Provisioning.
  6. Select Connect Your Application.
  7. Choose Bearer authentication.
  8. Paste the Harvey SCIM URL into Tenant URL and the Harvey SCIM token into Secret token.
  9. Keep the aadOptscim062020 query parameter in the Tenant URL. Do not remove it.
  10. Click Test Connection, then save the configuration.
  11. In Mappings, review the user and group attribute mappings.
  12. Confirm that externalId is mapped to objectId.
  13. Confirm that emails[type eq "work"].value is mapped to a valid email attribute for your directory.
  14. Make sure provisioning is enabled for both users and groups, with Create, Update, and Delete actions turned on.
  15. Go to Users and groups and assign the users and groups you want to sync.
  16. In Provisioning → Settings, set Scope to Sync only assigned users and groups.
  17. Set Provisioning Status to On.

Okta

Screenshot of Applications page in Okta.
  1. Sign in to the Okta admin console.
  2. Go to Applications → Applications.
  3. Click Browse App Catalog.
  4. Search for SCIM 2.0 Test App (OAuth Bearer Token) and add it.
  5. Name the application, such as Harvey.ai, and complete the basic setup.
  6. Open the application and go to the Provisioning tab.
  7. Click Configure API Integration.
  8. Turn on Enable API Integration.
  9. Paste the Harvey SCIM URL into SCIM 2.0 Base Url.
  10. Paste the Harvey SCIM token into OAuth Bearer Token.
  11. Click Test API Credentials, then save.
  12. In Provisioning → To App, enable:
    1. Create Users
    2. Update User Attributes
    3. Deactivate Users
  13. Go to Assignments and assign the people you want to provision.
  14. Go to Push Groups and push the groups you want Harvey to sync.
  15. Use separate groups for app assignments and pushed groups to avoid group membership sync issues.

Step 3: Map Groups and Roles in Harvey

In-app screenshot showing where user can set up workspace role mapping with their identity provider.
  1. Return to Settings → Identity & Access in Harvey.
  2. Map synced directory groups to Harvey roles.
  3. Map synced directory groups to Harvey user groups, if needed.
  4. Review your mappings carefully before broad rollout.

Note: Users without an explicit group-to-role mapping receive the default role you selected during setup.

Step 4: Test and Monitor the Sync

  1. Start provisioning from your identity provider.
  2. Confirm that test users and groups appear correctly in Harvey.
  3. Verify that expected roles and user groups are assigned.
  4. Review Harvey’s audit logs to confirm provisioning events and configuration changes.

Note: A full sync may take several minutes depending on the size of your directory.

Known Limitations

  • SCIM must be enabled for each workspace before configuration is available
  • SCIM requires SSO (SAML) to be configured first
  • Only Microsoft Entra ID and Okta are supported in this release
  • Resetting SCIM removes SCIM configuration and sync state, but does not remove users previously provisioned through SCIM
  • Disabling the SCIM toggle makes SCIM endpoints unavailable until SCIM is re-enabled

Tips for Success

  • Start with a small pilot group before enabling SCIM for your full directory
  • Define your group structure in your identity provider before configuring role mappings in Harvey
  • Choose a default role that gives users appropriate baseline access
  • In Entra, validate email and externalId mappings before turning provisioning on
  • In Okta, use separate groups for assignments and pushed groups to reduce sync issues
  • Review audit logs after setup to confirm users, groups, and roles are syncing as expected

FAQ

FromCounsel Integration

Access and use FromCounsel’s expert UK legal content directly within Harvey to support research, drafting, and analysis with jurisdiction-specific accuracy.

Harvey for Word: How to Use

Discover the power of Harvey by drafting contract language directly in Microsoft Word.

Enable the Box Integration for Your Workspace

Enable the Box integration so users in your workspace can upload files and folders from Box directly into Harvey.

NetDocuments Integration

Learn how to set up the NetDocuments integration and use your organization’s files directly in Harvey, without downloading local copies.

Harvey for Word Add-In: Security and Data Privacy

Learn how to securely use and deploy the Harvey Word Add-In to edit or draft content directly in Word, with full admin controls and compliance safeguards.