The OpenAI ChatGPT SCIM Integration integration allows identity providers to exchange user identity data with OpenAI, automating the provisioning and deprovisioning of user accounts in ChatGPT Enterprise based on organizational changes.
Which IDPs are supported by the SCIM integration?
Supported IDPs include Okta, Entra ID (Azure AD), Google Workspace, PingFederate, OneLogin, Rippling, and more, with options for custom SCIM implementations and an SFTP endpoint for CSV file provisioning.
How do I set up the SCIM integration?
In the Identity and Provisioning tab, ChatGPT users with Owner access can enable “directory sync”, guiding them through setting up directory sync with your IdP provider via the WorkOS portal. Here’s a view of the WorkOS portal:
Can users be manually added in addition to using SCIM?
Yes, users can still be manually added through the ChatGPT admin console. The “Members” section will indicate which users are managed by SCIM versus those added manually.
What does it mean to be “managed by SCIM”?
“Managed by SCIM” means a user’s account is controlled through automated provisioning and deprovisioning based on synced directory information. Manually added users are not managed by SCIM unless later synced from the directory.
What happens when a user is provisioned by SCIM?
See answer under question Will users receive an email invite when they are added using SCIM?
Will users receive an email invite when they are added using SCIM?
If the user is already in the workspace and becomes SCIM managed, they will not receive an email.
If a user is provisioned with SCIM and the user is not already a member of the workspace, the user will be sent an email letting them know they have been invited to the workspace.
The provisioned user needs to accept the invitation to become a workspace member. If the user does not accept the invitation, the user will continue to show as a “Pending Invite” in the Members tab.
What happens if a user's first name and last name in ChatGPT don't match what is in the IDP?
It's expected that a ChatGPT user will be able to edit their name in our services. When you implement SCIM, the name that's associated with the email in your IDP will not override what's there in ChatGPT. There should be no problem for SCIM if the names don't match, as users are linked via their email address only.
How does Automatic Account Creation interact with SCIM?
Automatic Account Creation provisions users reactively, at the time they attempt to sign up or log in. This is known as “just-in-time” provisioning. By contrast, SCIM provisions users proactively, as soon as they are added to a specified IdP group.
As a best practice, we strongly recommend against enabling both Automatic Account Creation and SCIM. Enabling both features on your account may result in provisioning access to unmanaged users. Remember that only those users managed by SCIM can be automatically deactivated in response to changes in IdP group membership.
How do I enable Groups with my SCIM integration?
When you enable the directory sync with ChatGPT, your existing synced directories will be automatically synced with ChatGPT Groups. Any group you choose to sync with your IdP will be automatically reflected in ChatGPT.
You will still have the ability to manually create groups in your ChatGPT workspace settings.
Will the SCIM group overwrite the ChatGPT group?
No. If a group with the same name already exists in your ChatGPT workspace, it will not be overwritten by the SCIM group. The newly created SCIM group will have the same name as the ChatGPT group and can be differentiated using the SCIM tag beside its name.
How can I tell which users or groups were added via SCIM?
In the Members and Groups sections of your ChatGPT workspace settings, each user or group will have a badge next to its name to indicate if it was added via SCIM.
How often does the SCIM directory sync?
Whereas some services, like Okta, may sync immediately, most services sync every 30 - 40 minutes.
Is there a way to force directory syncs?
At the moment, there is no way to force a SCIM directory sync. Please contact Support by creating a ticket on the bottom-corner of this Help page if you experience issues with your SCIM directory.
What happens to a user’s data if they are removed and then added back via SCIM?
We retain user data for up to 30 days. If a user is removed and added back before this time, they will retain their data.
Can SCIM be enabled for both my ChatGPT Enterprise workspace and my Platform organization?
Yes, you can enable SCIM with two different directories/apps for your ChatGPT workspace and your Platform organization.