Configuring SCIM for Automated User Provisioning in Fullstory

Who can use this feature?
- Requires an Enterprise plan.
- Requires an Admin role to configure.

This article provides guidance for configuring System for Cross-domain Identity Management (SCIM) for your Fullstory account. Currently, SCIM is only supported for Okta as an Identity Provider. SCIM, when used in conjunction with Single Sign-On (SSO), allows you to automate the provisioning and deprovisioning of user accounts in Fullstory directly from your Identity Provider (IdP). This streamlines user management and enhances security. 

This article will cover the following:

Please note: While our published Okta app doesn't currently support SCIM, you can follow the steps below to enable SCIM provisioning by creating a custom SAML app connection in Okta.

Create a new SAML app in Okta

Please note: If your SAML SSO is already configured using our app, you'll need to remove this connection and create a custom SAML app.
  1. In the Admin Console, go to Applications.
  2. Click Create App Integration.
  3. Select SAML 2.0 as the Sign-in method.
  4. Click Next.
  5. Provide the general information for the integration and then click Next.
  6. Provide the necessary SAML settings information for your integration. See Application Integration Wizard SAML field reference for descriptions of individual fields.
  7. Optional. Click Preview the SAML Assertion to view the XML generated from the SAML settings that you provided.
  8. Click Next.
  9. Provide configuration information about your app integration to Okta:
    • If you're adding an integration for internal use only, follow these steps:
      1. Select I'm an Okta customer adding an internal app.
      2. Select This is an internal app that we have created. However, if your app requires more SAML configuration instructions to work with Okta, select It's required to contact the vendor to enable SAML. Fill in the provided fields to help the Okta support team understand your SAML configuration.
      3. Click Finish.
    • Your integration is created in your Okta org. You can modify your integration's parameters and assign it to users.
  10. After you create your SAML app integration, you can follow the SSO setup described in the How do I configure SSO? article.

Enabling SCIM in Fullstory

Note: If you're setting up SSO for the first time in an Umbrella account, repeat these steps for each account in your Umbrella.

Admin users can configure SCIM in Fullstory.

  1. Within Fullstory, go to Settings > Account Management > SSO.
  2. Under Account Provisioning, select SCIM Provisioning from the dropdown menu.

    Note: If you don't see Account Provisioning, ensure that SAML SSO is already configured for your Fullstory organization. See How do I configure SSO? for more information.
  3. Fullstory will display information that you will need to enter into your IdP later, including the following:
    • SCIM connector base URL
    • Unique identifier for users
    • Authentication mode
    • Authorization token
  4. Click Generate Authorization Token. Keep this information secure as it will be used to authorize the connection from your IdP.

CleanShot 2025-04-14 at 13.48.13@2x.png

Setting up the SCIM connection in Okta

The following steps provide an example of how to configure SCIM with Okta. The specific steps may vary depending on your IdP.

  1. From your Okta Admin console, navigate to Applications > Applications.
  2. Select the Okta Application that you have configured for Fullstory SSO.
  3. For the selected Okta Application, click on the General tab and then click Edit.
  4. Under Provisioning, select SCIM and click Save. This will add a Provisioning tab to your Fullstory Okta application.
  5. Click on the new Provisioning tab.
  6. Under Integration, click Edit.
  7. Using the information obtained from Fullstory in the previous section, fill out the following details:
    • SCIM connector base URL
    • Unique identifier field for users
    • Supported provisioning actions
    • Authentication Mode
    • Authorization token
  8. Click Test Connector Configuration.
  9. If the test is successful, click Save.

Mapping User Roles via SCIM Attributes (Recommended)

To automatically assign Fullstory roles to users based on their group memberships in Okta, follow these steps:

  1. In Okta, navigate to Directory > Profile Editor.
  2. Select your Fullstory Okta Application and click + Add Attribute.
  3. Fill out the attribute details with the following information:
Attribute Information Value
Data Type String
Display Name Fullstory Role
Variable Name role
External Namespace urn:ietf:params:scim:schemas:extension:fullstory:2.0:User
Define enumerated list of values Checked

 

  1. Add the following Attribute Members with their corresponding Value:
Please note: The umbrella manager role is not supported via SSO role mapping or SCIM attributes.
Display Name Value
Admin admin
Architect architect
Standard standard
Explorer explorer
Guest guest

 

  1. Ensure Attribute Type is set to Group.
  2. Click Save.
  3. In Okta, navigate back to your Fullstory Okta application and click on the Assignments tab.
  4. Add the groups you want to map to Fullstory roles.
  5. Click the pencil icon to open the Edit Group Assignment screen, you should now see the Fullstory Role attribute.
  6. Select the desired Fullstory role from the dropdown that you want to assign to members of this Okta group.
  7. Click Save and repeat this for all relevant Okta groups.

Enabling SCIM Functionality in the Fullstory Okta App

  1. From the Okta Application, navigate to Provisioning > To App and click Edit.
  2. Select the provisioning features you want Okta to manage. It is recommended to enable Create Users, Update User Attributes, and Deactivate Users.
  3. Click Save.

Converting Existing Users to SCIM Users (If Applicable)

If you already have users assigned to the Fullstory Okta application before configuring SCIM, you may need to manually provision them via SCIM:

  1. In the Okta Application, navigate to the Assignments tab.
  2. Click Import Now to reconcile any differences between the users currently in FSTA and those assigned in Okta

By following these steps, you can successfully configure SCIM for your Fullstory organization, enabling automated user provisioning and deprovisioning through your Identity Provider. This will streamline your user management processes and enhance the security of your Fullstory account. Remember to consult the documentation for your specific Identity Provider for any variations in the configuration steps.

Managing groups with SCIM (SCIM Groups)

SCIM Groups lets you sync group membership from your identity provider (IdP) directly into Fullstory using the SCIM protocol. Instead of manually creating groups and adding members inside Fullstory, your IdP becomes the source of truth—when someone joins or leaves a group in your IdP, the change flows to Fullstory automatically.

Groups are the building blocks of Fullstory's Fine-Grained Access Controls. Once a group exists in Fullstory, you can assign it permissions on spaces. SCIM Groups automates how those groups stay in sync with your organization's team structure.

SCIM Groups is available as part of Fine-Grained Access Controls for Spaces, which is currently in Early Access and becomes generally available for all Enterprise customers on July 29, 2026.

Prerequisites

Before configuring SCIM Groups, confirm the following on the org where you want automated group management:

  • SSO is configured on this org. SCIM requires SSO as an upstream dependency. See How do I configure SSO? or How to configure Okta SSO.
  • SCIM user provisioning is active on this org. Your org must already have SCIM set up for user lifecycle management, as described earlier in this article.
  • At least one FGAC project is enabled on this org. Groups in Fullstory are introduced by enabling an FGAC project. See Fine-Grained Access Controls for Spaces and Groups for Fine-Grained Access Controls.
  • Group members are provisioned in your IdP. Any users you want included in a pushed group must already be provisioned and assigned to the Fullstory app in your IdP.
Multi-org customers: Each Fullstory org requires its own SSO connection, SCIM configuration, and FGAC enablement. If you have multiple orgs, repeat the upstream setup and the steps in this section for each org where you want automated group management.

App assignment vs. Group Push (Okta constraint)

Okta doesn't support using the same group for both app assignment and Group Push. This is an Okta-level constraint, not a Fullstory limitation.

If you currently use an Okta group to assign users to the Fullstory app (under the Assignments tab), you can't also push that same group to Fullstory under the Push Groups tab. Create a separate group with the same members and push that group instead. For more detail, see Okta's documentation on app assignments and Group Push.

Configure SCIM Groups with Okta

Okta is Fullstory's primary supported identity provider for SCIM. If your org uses Okta, follow these steps.

  1. In the Okta Admin Console, navigate to Applications > Fullstory and confirm that provisioning is enabled under the Provisioning tab.
  2. Within the Fullstory app in Okta, click the Push Groups tab. This is where you configure which Okta groups flow to Fullstory.
  3. Click Push Groups and choose your push method:
    • Find groups by name: search for a specific Okta group and push it individually. Best for a small number of groups.
    • Find groups by rule: define a pattern matching on group name or description to push multiple groups at once. Best for many groups that follow a naming convention.
  4. For each group you select, Okta checks whether a matching group already exists in Fullstory:
    • If a match is found, click Link Group to connect the Okta group to the existing Fullstory group and hand membership control to Okta. Existing permission assignments on the group are preserved.
    • If no match is found, Okta creates a new group in Fullstory automatically.
  5. After selecting your groups, click through to push. Then, in Fullstory, go to Settings > Account Management > Groups. Your pushed groups appear with a SCIM-managed badge, and membership editing for those groups is disabled in the Fullstory UI.
  6. Assign permissions to your groups in Fullstory. SCIM manages who is in each group; Fullstory manages what each group can access. See Fine-Grained Access Controls for Spaces to assign space access to your groups. If you linked to existing groups, their permission assignments are already in place.
Using a different identity provider? SCIM is an open standard, and Fullstory's SCIM API implements the standard /Groups endpoints. Identity providers other than Okta that support SCIM group provisioning should work in principle, though our endpoint is built and tested against Okta's implementation. Consult your IdP's documentation for how to configure group provisioning via SCIM, and reach out to your Fullstory account team if you run into issues.

What changes after configuration

Once SCIM Groups is configured:

  • SCIM-managed groups display a badge. In the Groups table under Settings, groups pushed from your IdP show a visual indicator that they're SCIM-managed.
  • Membership editing is disabled for SCIM-managed groups. You can't add or remove users from these groups directly in Fullstory—membership is controlled exclusively from your IdP, whether the group was created fresh by SCIM or was an existing group that SCIM took over via linking.
  • Groups not managed by SCIM remain editable. Any group that hasn't been linked to or created by SCIM stays fully under your control in Fullstory. You can manage membership manually, or take it over with SCIM later by linking it to an IdP group.
  • Group deletion flows from the IdP. If a group is deleted in your IdP, it's deleted in Fullstory. This is a permanent deletion, not an archive.

How Okta sends group updates

Fullstory's Okta integration uses a custom SAML app, so Okta sends PUT requests for all group updates, including name changes and membership changes. This means every group update includes the full group object—the name and complete membership list—rather than incremental add/remove operations. This is expected behavior and works correctly with Fullstory's SCIM endpoint; no action is needed on your part, but it's worth understanding if you're troubleshooting or monitoring SCIM traffic.

Troubleshooting SCIM Groups

Group push returns an error

The most common cause is that FGAC is not yet enabled on your org. Group lifecycle requests to the SCIM endpoint require at least one FGAC project to be active. Reach out to your account team to confirm your org's FGAC status.

Pushed groups aren't appearing in Fullstory

Check two things:

  1. Is SCIM provisioning still active? Confirm under Applications > Fullstory > Provisioning in Okta.
  2. Are the users in those groups assigned to the Fullstory app in Okta? Users who aren't assigned to the app won't appear in pushed groups, even if they're group members on the Okta side.

A group I want to push is already used for app assignment

Create a separate group with the same members and push that instead. Okta doesn't allow the same group to be used for both app assignment and Group Push. See app assignments and Group Push.

Frequently Asked Questions

What happens if I remove a user from a group in my IdP?

The membership change syncs to Fullstory automatically. The user loses whatever access that group provided.

Do I need to reconfigure my existing SCIM integration to use SCIM Groups?

No. SCIM Groups builds on top of your existing SCIM user provisioning. You don't need to change your SCIM connection settings, regenerate tokens, or re-provision users—you're adding group push to what's already there.


Was this article helpful?

Got Questions?

Get in touch with a Fullstory rep, ask the community or check out our developer documentation.