Skip to main content
All CollectionsAPI
OpenAI Platform SCIM Integration - FAQ
OpenAI Platform SCIM Integration - FAQ
Updated over 2 months ago

The OpenAI SCIM Integration allows identity providers to exchange user identity data with OpenAI, automating the provisioning and deprovisioning of user accounts in the OpenAI Platform based on organizational changes.

SCIM integration is only available for customers on Custom or Unlimited Billing Plans. To learn more about these Billing Plans, please, contact OpenAI Sales team.

Which IDPs are supported by the SCIM integration?

Supported IdPs include Okta, Entra ID (Azure AD), Google Workspace, PingFederate, OneLogin, Rippling, and more, with options for custom SCIM implementations and an SFTP endpoint for CSV file provisioning.

How do I set up the SCIM integration?

In the Identity settings, users with Owner access can enable “directory sync”, guiding them through setting up directory sync with your IdP provider via the WorkOS portal. Here’s a view of the WorkOS portal:

Can users be manually added in addition to using SCIM?

Yes, users can still be manually added through the Platform settings or the Adminstration API. The “Members” section will indicate which users are managed by SCIM versus those added manually.

What does it mean to be “managed by SCIM”?

“Managed by SCIM” means a user’s account is controlled through automated provisioning and deprovisioning based on synced directory information. Manually added users are not managed by SCIM unless later synced from the directory.

What happens when a user is provisioned by SCIM?

When a user is provisioned by SCIM, the user receives an invite to the Platform organization. The provisioned user needs to accept the invitation or log in again to become an organization member. If the user does not accept the invitation, the user will continue to show as a “Pending Invite” in the Members tab.

What happens if a user's first name and last name in ChatGPT don't match what is in the IDP?

It's expected that a ChatGPT user will be able to edit their name in our services. When you implement SCIM, the name that's associated with the email in your IDP will not override what's there in ChatGPT. There should be no problem for SCIM if the names don't match, as users are linked via their email address only.

Will users receive an email invite when they are added using SCIM?

If a user is provisioned with SCIM and the user isn't already a member of the organization, the user will be sent an email letting them know they have been invited to the organization. If the user is already in the organization and becomes SCIM managed, they will not receive an email.

How can I tell which users were added via SCIM?

In theOrganization Members section of your Platform settings, each user or invite will have a badge next to its name to indicate if it was added via SCIM.

How often does the SCIM directory sync?

Whereas some services, like Okta, may sync immediately, most services sync every 30 - 40 minutes.

Is there a way to force directory syncs?

At the moment, there is no way to force a SCIM directory sync. Please contact Support by creating a ticket on the bottom-corner of this Help page if you experience issues with your SCIM directory.

What updates can I make to my users via SCIM?

We currently support syncing name updates from your Identity Provider (IdP). Please note that if a user belongs to multiple organizations, any name changes will be applied across all of them. Users can also manually update their own name at any time.

Can I enable Groups with my SCIM integration?

At this time, SCIM Groups are not yet supported. Users provisioned via SCIM will automatically be invited to the organization and assigned to its Default Project with the Reader role.

Did this answer your question?