This article helps you:
Handle provisioning and group management programmatically, via a public API
In Amplitude, the User Management API provides a programmatic solution to provisioning and group management through a public API. With it, you can quickly and easily manage your organizations at scale and integrate the provisioning process with other tools, including identity providers.
The User Management API follows the SCIM 2.0 Standard. It allows for the creation, retrieval, update, and deletion calls for users (including pending users) and permission groups.
For a technical guide and spec for interfacing with the SCIM API, see the SCIM API guide in our developer docs. It's useful for developers testing the SCIM API, developing scripts that call the Amplitude SCIM API, or constructing one-off requests.
This feature is available to users on Enterprise plans only. See our pricing page for more details.
The User Management API works in tandem with permission groups.
If you plan on using SCIM provisioning to integrate with an identity provider/SSO solution, make sure SCIM is also enabled within that tool as well.
If SCIM provisioning is available in your organization, you can find it in the Access and SSO Settings section of your organization's settings menu, under Provisioning Settings:
Simply set the Enable SCIM Provisioning toggle to Enabled. Then click Generate SCIM Key to generate the access token used to authenticate requests for the SCIM API.
For security reasons, the SCIM Key is only available once and will not be surfaced in the product afterwards. If you lose access to the key, click Regenerate SCIM Key. Be sure to keep a record of the new key. When generating/regenerating the SCIM key, changes are applied immediately and the old key will be rejected from future API calls, even if the other changes on the page have not yet been saved.
Amplitude currently supports all fields of the core group schema of SCIM, as well as the following fields in the core user schema:
SCIM user attribute | Special note |
userName |
equivalent to email |
givenName |
prepended to familyName to create display name |
familyName |
appended to givenName to create display name |
email |
only one email is allowed |
active |
active is true for invited users as well as joined users |
In Okta, the Amplitude SCIM API provides the following features:
The best way to integrate Okta provisioning with Amplitude is with the Amplitude application within the Okta Integration Network. To do so, follow these steps:
Users are only asked to provide their first and last names upon first sign-up in Amplitude, though they may be invited to an organization before this happens. If Import Users is used while there are pending users that have never been in any Amplitude organization, the SCIM API will place placeholder values for their first and last names (NO_GIVEN_NAME
and NO_FAMILY_NAME
, respectively).
Additionally, there can sometimes be issues when authenticating an identity provider's application with Amplitude's SCIM API. For example, this can happen when testing the SCIM connection within Okta. In these instances, try this procedure:
Thanks for your feedback!
May 17th, 2024
Need help? Contact Support
Visit Amplitude.com
Have a look at the Amplitude Blog
Learn more at Amplitude Academy
© 2024 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.