:Harvey:Support

SCIM (System for Cross-domain Identity Management) Integration

Set up SCIM in Harvey to automate user provisioning, deprovisioning, and group-based access management through your organization’s identity provider.

Last updated: May 11, 2026

Overview

SCIM integration connects Harvey to your organization’s Identity Provider (IdP), enabling automated user provisioning, role and group synchronization, and centralized access management from a single source of truth.

With SCIM in Harvey, you can:

  • Automatically provision and deprovision users: Create, update, and deactivate user accounts directly from your Identity Provider—eliminating manual user management
  • Synchronize roles and group memberships: Map directory groups to Harvey roles and keep permissions aligned automatically
  • Sync directory groups to Harvey User Groups: When you enable group syncing, Harvey automatically creates a corresponding Harvey User Group for each IdP group you select. Membership stays in sync as your directory changes — no manual setup or mapping required.
  • Centralize identity management: Manage access to Harvey from your existing identity system
  • Improve security and compliance: Enforce least-privilege access and automatically remove outdated permissions
  • Reduce administrative overhead: Eliminate manual onboarding and offboarding workflows

Prerequisites:

  • SSO (SAML) is configured and enabled for your workspace
  • SCIM is enabled for your workspace
  • You have admin access to configure identity settings

How to Use

Step 1: Enable SCIM in Harvey

In-app screenshot of Identity & Access page within Settings.
  1. Go to Settings → Identity & Access
  2. Turn on the SCIM provisioning toggle
  3. Click Setup SCIM
  4. Select a default role for users not included in any mapped group
  5. Copy the SCIM URL and SCIM token (used in your IdP)

Step 2: Connect with Identity Provider

In-app screenshot showing where the user can select their identity provider.

Microsoft Entra

Screenshot of Enterprise applications page in Microsoft Entra admin center.
  1. Sign in to the Microsoft Entra admin center
  2. Go to Enterprise apps → New application
  3. Select Create your own application
  4. Name the app (e.g., Harvey.ai) and choose Non-gallery application
  5. Open the app → go to Provisioning
  6. Select Connect Your Application
  7. Choose Bearer authentication
  8. Paste:
    • SCIM URL → Tenant URL
    • SCIM token → Secret token
  9. Keep the aadOptscim062020 query parameter in the Tenant URL
  10. Click Test Connection, then save

Mappings:

  • Ensure externalIdobjectId
  • Ensure emails[type eq "work"].value maps to a valid email attribute
  • Enable provisioning for users and groups (Create, Update, Delete)

Finalize setup:

  • Assign users and groups under Users and groups
  • Set scope to Sync only assigned users and groups
  • Turn Provisioning Status = On

Okta

Screenshot of Applications page in Okta.
  1. Sign in to the Okta admin console
  2. Go to Applications → Applications
  3. Click Browse App Catalog
  4. Add SCIM 2.0 Test App (OAuth Bearer Token)
  5. Name the app (e.g., Harvey.ai)

Configure provisioning:

  1. Go to Provisioning → Configure API Integration
  2. Enable API integration
  3. Paste:
    • SCIM URL → Base URL
    • SCIM token → Bearer Token
  4. Test credentials and save

Enable provisioning actions:

  • Create Users
  • Update User Attributes
  • Deactivate Users

Finalize setup:

  • Assign users in Assignments
  • Push groups in Push Groups
  • Use separate groups for assignments vs pushed groups

Step 3: Map Groups and Roles in Harvey

Harvey has two distinct group concepts:

  1. IdP groups are the groups managed in your identity provider (Okta, Entra).
  2. Harvey User Groups are the groups used for sharing and collaboration within Harvey.

SCIM can map IdP groups to Harvey roles, and separately sync IdP groups to Harvey User Groups. Both are covered in this step.

In-app screenshot showing where user can set up workspace role mapping with their identity provider.

To map groups and roles:

  1. In Harvey, go to Settings → Identity & Access
  2. Map synced directory groups to Harvey roles
  3. Review mappings carefully before rollout

Note: Users without an explicit group-to-role mapping receive the default role you selected during setup.

Sync IdP Groups to Harvey User Groups

In addition to mapping IdP groups to Harvey roles, you can sync IdP groups to Harvey User Groups — the groups used for sharing and collaboration within Harvey.

How it works: When you enable syncing for an IdP group, Harvey automatically creates a new Harvey User Group for that IdP group. Membership in that group is then managed entirely by SCIM — as users are added or removed from the group in your identity provider, Harvey reflects those changes automatically.


Key behaviors to be aware of:

  • Each IdP group syncs to exactly one Harvey User Group (1:1). Harvey always creates a new group — it does not map to pre-existing Harvey groups.
  • SCIM-managed groups do not allow manual membership changes in Harvey. SCIM is the sole source of truth for those groups.
  • Harvey User Groups you create manually are completely independent of SCIM. You can continue to create and manage manual groups even when SCIM is enabled.
  • Disabling the sync for an IdP group removes the corresponding Harvey User Group from that workspace.

To set up group syncing:

  1. In Harvey, go to SettingsIdentity & Access.
  2. Under SCIM settings, you'll see a list of IdP groups available to sync.
  3. Toggle on the groups you want Harvey to sync as User Groups.

Harvey will create the corresponding User Groups and begin syncing membership automatically.

Step 4: Test and Monitor the Sync

  1. Start provisioning from your IdP
  2. Confirm users and groups appear correctly in Harvey
  3. Verify role assignments
  4. Review audit logs for provisioning activity

Note: A full sync may take several minutes depending on the size of your directory.

Known Limitations

  • Admin configuration is required through your Identity Provider
  • SCIM behavior depends on your IdP configuration and mappings
  • Only Microsoft Entra ID (Azure AD) and Okta are currently supported
  • SCIM does not support SAML JIT provisioning
  • SCIM must be enabled per workspace
  • Resetting SCIM removes configuration and sync state, but not users
  • Disabling SCIM makes endpoints unavailable until re-enabled
  • User email domains must match the workspace domain
  • Role assignments must be managed via SCIM (not manually in Harvey)
  • SCIM-created Harvey User Groups do not allow manual membership changes. Membership for those groups is fully managed by your identity provider.

Tips for Success

  • Start with a small pilot group before full rollout
  • Define your group structure in your IdP before mapping roles
  • Choose a default role with appropriate baseline access
  • Validate mappings (especially email and externalId) before enabling provisioning
  • Use separate groups in Okta to avoid sync issues
  • Review audit logs after setup to confirm expected behavior
  • Ensure users are provisioned through your IdP before attempting login

FAQ

Harvey for Word: How to Use

Discover the power of Harvey by drafting contract language directly in Microsoft Word.

Harvey for Word: Troubleshooting Issues

Troubleshoot common problems with Harvey for Word.

Harvey for Word: How to Download and Install

Instructions for users to download and install the Word add-in.

Harvey for Word: Playbooks Guide

Learn how to apply playbooks to review contracts directly in Word using Harvey.

FromCounsel

Access and use FromCounsel’s expert UK legal content directly within Harvey to support research, drafting, and analysis with jurisdiction-specific accuracy.