You can configure Gtmhub to automatically create and deactivate users whenever they are provisioned and deprovisioned from the application in your Identity Provider. What's more, you can configure each user's first name, last name, manager, and team to be automated from the IdP.

For all Identity Providers that support hierarchical employee org chart (the manager field is a linked user) Gtmhub can create or map the corresponding teams, add the users to them, and create an organizational hierarchy based on the team and manager attributes of each user.

Whenever a previously created automated team has no members, Gtmhub will add "(deactivated)" to that team's name.

Each Identity Provider has a slightly different SCIM auto-provisioning interval interval. Azure AD will ping Gtmhub every 40 minutes, but in practice, it might take a bit more. This is entirely controlled by your IdP.

To configure Gtmhub

Issue a SCIM token

  1. Navigate to Settings, then go to API Tokens on the left-hand menu.

  2. Click on 'Issue token'.

    1. Give your token a name (so you can distinguish which app is integrated via it later)

    2. and then select SCIM from the dropdown.

Once ready with the token, click on the masked portion it to copy the value

You will need the SCIM token when setting up SCIM authentication in your Identity Provider.

Configure org structure provisioning

You can control the the Gtmhub behavior when a new user is provisioned via SCIM.

  1. Navigate to the SCIM Provisioning tab in the left-hand navigation

  2. In Create teams, choose which field should the system use to do so.

    1. If you choose Department, Gtmhub will take the name of the department field configured in your IdP SCIM mappings and create a team with that name. So in practice, when that mode is enabled Department is equal to a Team in Gtmhub.

    2. If in your Identity Provider org structure you have multiple people that have the same department, but there's a hierarchical relationship between them and they have teams on their own, it's better to select the Manager option. When this option is selected, Gtmhub will create (or map) a team with that same Department name and will then use the manager field to create sub-teams that will be called '{Department name} - {User Names}'. E.g. the final result would look like this: the parent team would be 'Sales', and then a sub-team would be 'Sales - John Harrison'.

In practice, you can instrument your IdP to sync team names from your HCM system into the Department field, which will then sync to Gtmhub. Alternatively, you can create a custom attribute in your AD and sync team names from your HCM into it. You can then configure in the attribute mappings this field to map to teams in Gtmhub.

If you are using Workday as your HCM, you can integrate Gtmhub directly with it so that the team hierarchy in Gtmhub is managed directly from the source. For more information, please refer to How to Connect Workday.

To configure your Identity Provider

Supported fields and mappings

Gtmhub implements a fully standardized SCIM support. You can see which fields are supported by our SCIM server and use them to configure your IdP SCIM mappings by inspecting the SCIM schema at:

SCIM Authentication


When configuring SCIM in your IdP you will need to provide your Gtmhub account-specific SCIM URL (also referred to as SCIM Connector Base URL). Its value is as follows:

Where the highlighted part must be replaced with your actual Gtmhub Account ID. You can find your Account ID by logging in to your Gtmhub account and navigating to Settings -> API Tokens.

2. SCIM Token

The Gtmhub SCIM server supports HTTP authentication via Bearer token. if your IdP supports sending an HTTP Header for authentication select that option. To obtain your token value refer to the steps described in Issue a SCIM token earlier in this article.

NOTE: If you are using Azure AD, the currently available version of the Gtmhub gallery app does not support user hierarchy synchronization based on the departnemnt field.To use Gtmhub's latest user provisioning app, please follow this procedure as described by Microsoft.

Did this answer your question?