Setting up SSO and SCIM
Single Sign-On (SSO) allows users to access multiple apps using one set of credentials managed by an Identity Provider (IdP). Guru supports SSO and automatic user and Group provisioning via the SCIM (System for Cross-domain Identity Management) standard. To enable automatic provisioning, SSO must be configured first.
Access Required
You must be a workspace Admin to access the SSO/SCIM page and enable SSO in Guru.
Setting up SSO
Step 1: Set up the connection in your Identity Provider
Start by configuring the SSO connection for Guru in your IdP. You’ll need information from Guru’s SSO/SCIM page.
- In Guru, go to Manage > SSO/SCIM.
| Guru provides | Your IdP provides |
|---|---|
| - Your Guru Team ID | - IdP Issuer |
| - Guru Single Sign-On URL | - IdP Single Sign-On URL |
| - Audience URI | - X.509 Certificate |
Step 2: Set up SSO in Guru
Once you’ve configured the connection in your IdP, complete setup in Guru.
- In Guru, navigate to Manage > SSO/SCIM.
- Fill in the following fields using information from your IdP:
- Identity Provider Single Sign-On URL
- Identity Provider Issuer
- X.509 Certificate
- Select your Provision Type:
- Automatically add users – Guru adds users on their first SSO login. 💳 Billing applies per user seat.
- Require users to be invited – Invite users manually.
- Set the Session Timeout (in days). Default is 14 days.
- Change the SSO state to Enabled.
Frequently Asked Questions about SSO
How do I add external users after SSO is enabled?
Add external users to your IdP. If that’s not possible, assign them an Admin role in Guru—Admins can log in using a password.
What happens to logged-in users after SSO is enabled?
They remain logged in until their session expires or they log out. Afterward, they must log in via the IdP.
What’s the difference between SSO and domain discovery?
- Domain discovery lets users join Guru with a matching email domain.
- SSO enables secure login through a third-party IdP like Okta or OneLogin.
Setting up SCIM
Note
When both SSO and SCIM are enabled, Guru Admins cannot invite users from the Guru web app. Manage users via your IdP.
- In Guru, go to Manage > SSO/SCIM.
- Toggle Authorize SCIM Provisioning to ON.
Supported Identity Providers
Guru supports any IdP with SCIM 2.0 support. Specific setup guides:
Need help with an unlisted IdP? Contact Guru Support
Note
Guru does not support automatic provisioning through Office 365. Only Google SSO and standard SAML are supported.
Suggest features in the Product Feedback section of the Guru Community.
Frequently Asked Questions about SCIM
What happens after SCIM is enabled?
- Users, Groups, and Group assignments sync from your IdP to Guru.
- Exact matches in Guru are merged and become uneditable in Guru.
- Synced users/Groups display a sync icon (🔄) next to their names.
- Non-matching users/Groups remain editable in Manage > All Members.
How can I identify synced users or Groups?
Synced entries show a sync icon (🔄).
Does Guru support Group linking?
Yes. SCIM Groups link 1:1 with Guru Groups while retaining Collection permissions. If a Group name matches, linking is automatic.
What happens when I remove a user in the IdP?
- The user is immediately deleted in Guru.
- If the user was a verifier, Guru reassigns their Cards to the Collection owner.
If none exists, the top verifier is assigned.
Can I manage users and Groups in Guru after SCIM is enabled?
- Non-synced Group: Editable in Guru (add/remove users, manage Group).
- Synced Group (🔄): Manage only via your IdP.
- Synced user: Can be added to a non-synced Group in Guru.
Can SCIM populate Guru profiles?
No. Use an HRIS sync to import data into profiles.
Updated 4 days ago