> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agentkit`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Onboard enterprise customers Complete workflow for enabling SCIM provisioning and self-serve directory sync configuration for your enterprise customers Enterprise provisioning with SCIM enables you to automatically create, update, and deactivate users in your application based on changes in your customers' directory providers such as Okta, Microsoft Entra ID, or Google Workspace. This gives enterprise customers centralized user lifecycle management while reducing manual administration and access drift. > Image: How Scalekit connects your application to enterprise directories and identity providers This guide walks you through the complete workflow for onboarding enterprise customers with SCIM provisioning. You'll learn how to create organizations, provide admin portal access, enable directory sync, and verify that provisioning works end to end. Before onboarding enterprise customers with provisioning, ensure you have completed the [SCIM quickstart](/directory/scim/quickstart/) to set up basic directory sync in your application. ## Table of contents - [Create organization](#create-organization) - [Provide admin portal access](#provide-admin-portal-access) - [Customer configures SCIM provisioning](#customer-configures-scim-provisioning) - [Verify provisioning and run test sync](#verify-provisioning-and-run-test-sync)

1. ## Create organization Create an organization in Scalekit to represent your enterprise customer: - Log in to the [Scalekit dashboard](https://app.scalekit.com) - Navigate to **Dashboard > Organizations** - Click **Create Organization** - Enter the organization name and relevant details - Save the organization Each organization in Scalekit represents one of your enterprise customers and can have its own directory sync settings, SSO configuration, and domain associations. 2. ## Provide admin portal access Give your customer's IT administrator access to the self-serve admin portal to configure their directory and SCIM connection. Scalekit provides two integration methods: **Option 1: Share a no-code link** Generate and share a link to the admin portal: - Select the organization from **Dashboard > Organizations** - Click **Generate link** in the organization overview - Share the link with your customer's IT admin via email, Slack, or your preferred channel The link remains valid for 7 days and can be revoked anytime from the dashboard. **Link properties:** | Property | Details | | -------- | ------- | | **Expiration** | Links expire after 7 days | | **Revocation** | Revoke links anytime from the dashboard | | **Sharing** | Share via email, Slack, or any preferred channel | | **Security** | Anyone with the link can view and update the organization's connection settings | The generated link follows this format: ```http title="Portal link example" wrap showLineNumbers=false https://your-app.scalekit.dev/magicLink/2cbe56de-eec4-41d2-abed-90a5b82286c4_p ``` > caution: Security consideration > > Treat portal links as sensitive credentials. Anyone with the link can view and modify the organization's SSO and SCIM configuration. **Option 2: Embed the portal** Embed the admin portal directly in your application so customers can configure SCIM provisioning and SSO without leaving your interface. The portal link must be generated programmatically on each page load for security. Each generated link is single-use and expires after 1 minute, though once loaded, the session remains active for up to 6 hours. ### Node.js ```bash showLineNumbers=false frame="none" npm install @scalekit-sdk/node ``` ### Python ```sh showLineNumbers=false frame="none" pip install scalekit-sdk-python ``` ### Go ```sh showLineNumbers=false frame="none" go get -u github.com/scalekit-inc/scalekit-sdk-go ``` ### Java ```groovy showLineNumbers=false frame="none" /* Gradle users - add the following to your dependencies in build file */ implementation "com.scalekit:scalekit-sdk-java:2.0.11" ``` ```xml showLineNumbers=false frame="none" com.scalekit scalekit-sdk-java 2.0.11 ``` ### Generate portal link Use the Scalekit SDK to generate a unique, embeddable admin portal link for an organization. Call this API endpoint each time you render the page containing the iframe: ### Node.js ```javascript title="Express.js" collapse={1-6} {8-10} const scalekit = new Scalekit( process.env.SCALEKIT_ENVIRONMENT_URL, process.env.SCALEKIT_CLIENT_ID, process.env.SCALEKIT_CLIENT_SECRET, ); async function generatePortalLink(organizationId) { const link = await scalekit.organization.generatePortalLink(organizationId); return link.location; // Use as iframe src } ``` ### Python ```python title="Flask" collapse={1-6} {8-10} from scalekit import Scalekit scalekit_client = Scalekit( environment_url=os.environ.get("SCALEKIT_ENVIRONMENT_URL"), client_id=os.environ.get("SCALEKIT_CLIENT_ID"), client_secret=os.environ.get("SCALEKIT_CLIENT_SECRET") ) def generate_portal_link(organization_id): link = scalekit_client.organization.generate_portal_link(organization_id) return link.location # Use as iframe src ``` ### Go ```go title="Gin" collapse={1-10} {12-18} "context" "os" "github.com/scalekit/sdk-go" ) scalekitClient := scalekit.New( os.Getenv("SCALEKIT_ENVIRONMENT_URL"), os.Getenv("SCALEKIT_CLIENT_ID"), os.Getenv("SCALEKIT_CLIENT_SECRET"), ) func generatePortalLink(organizationID string) (string, error) { ctx := context.Background() link, err := scalekitClient.Organization().GeneratePortalLink(ctx, organizationID) if err != nil { return "", err } return link.Location, nil // Use as iframe src } ``` ### Java ```java title="Spring Boot" collapse={1-8} {10-16} Scalekit scalekitClient = new Scalekit( System.getenv("SCALEKIT_ENVIRONMENT_URL"), System.getenv("SCALEKIT_CLIENT_ID"), System.getenv("SCALEKIT_CLIENT_SECRET") ); public String generatePortalLink(String organizationId) { Link portalLink = scalekitClient.organizations() .generatePortalLink(organizationId, Arrays.asList(Feature.sso, Feature.dir_sync)); return portalLink.getLocation(); // Use as iframe src } ``` The API returns a JSON object with the portal link. Use the `location` property as the iframe `src`: ```json title="API response" {3} showLineNumbers=false { "id": "8930509d-68cf-4e2c-8c6d-94d2b5e2db43", "location": "https://random-subdomain.scalekit.dev/magicLink/8930509d-68cf-4e2c-8c6d-94d2b5e2db43", "expireTime": "2024-10-03T13:35:50.563013Z" } ``` ```html title="Embed portal in iframe" {2} wrap showLineNumbers=false ``` Embed the portal in your application's settings or admin section where customers manage authentication configuration. Listen for UI events from the embedded portal to respond to configuration changes, such as when directory sync is enabled, provisioning is tested, or the session expires. See the [Admin portal UI events reference](/reference/admin-portal/ui-events/) for details on handling these events. ### Configuration and session | Setting | Requirement | | ------- | ----------- | | **Redirect URI** | Add your application domain at **Dashboard > Developers > API Configuration** | | **iframe attributes** | Include `allow="clipboard-write"` for copy-paste functionality | | **Dimensions** | Minimum recommended height: 600px | | **Link expiration** | Generated links expire after 1 minute if not loaded | | **Session duration** | Portal session remains active for up to 6 hours once loaded | | **Single-use** | Each generated link can only be used once to initialize a session | > tip: Generate fresh links > > Generate a new portal link on each page load rather than caching the URL. This ensures security and prevents expired link errors. 3. ## Customer configures SCIM provisioning After receiving admin portal access, your customer's IT administrator: - Opens the admin portal (via shared link or embedded iframe) - Selects their directory integration (Okta, Microsoft Entra ID, Google Workspace, etc.) - Follows the provider-specific SCIM or directory sync setup guide - Enters the required configuration (SCIM endpoint URL, access token, and any required headers) - Tests user provisioning from their directory to your application - Activates the SCIM connection Once configured, the directory sync or SCIM connection appears as active in your organization's settings. > tip: SCIM configuration guides > > Share the appropriate [SCIM integration guide](/guides/integrations/scim-integrations/) with your customer's IT team to help them configure their directory correctly. 4. ## Verify provisioning and run test sync After SCIM provisioning is configured, verify that user and group changes flow correctly from the customer's directory into your application. This ensures your enterprise onboarding is reliable before rolling out broadly. To verify provisioning: - Create a test user in the customer's directory and assign them to the appropriate groups or applications - Confirm that the user appears in your application's organization with the expected attributes (name, email, roles, and status) - Update the user's attributes or group memberships in the directory and verify that changes propagate to your application - Deactivate or delete the test user in the directory and ensure their access is revoked in your application > note: Home realm discovery and SSO (optional) > > You can optionally combine SCIM provisioning with SSO and domain verification so that users are both automatically provisioned and routed to the correct identity provider at sign-in. See the SSO onboarding guides if you want to add SSO on top of SCIM. ## Customize the admin portal Match the admin portal to your brand identity. Configure branding at **Dashboard > Settings > Branding**: | Option | Description | | ------ | ----------- | | **Logo** | Upload your company logo (displayed in the portal header) | | **Accent color** | Set the primary color to match your brand palette | | **Favicon** | Provide a custom favicon for browser tabs | > note: Branding scope > > Branding changes apply globally to all portal instances (both shareable links and embedded iframes) in your environment. For additional customization options including custom domains, see the [Custom domain guide](/guides/custom-domain/). --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |