Overview of SSO & SCIM / User-Provisioning in Lemontaps

Modified on Tue, 22 Apr at 10:00 AM

Lemontaps supports enterprise-grade identity integrations to make managing users simple, secure, and scalable. This article gives you an overview into this topic and explains how SSO (Single Sign-On) and User Provisioning (using SCIM) fit into your identity and access management (IAM) strategy when using Lemontaps.

Table of Contents

What’s the difference between IAM, SSO and SCIM – User Provisioning?
How to set up SSO and SCIM - User Provisioning?
FAQ

What’s the difference between IAM, SSO and SCIM – User Provisioning?

1. IAM

This is your internal system for managing identities and access.

Your IAM controls who your employees are and what they can access.
You use IAM platforms like Okta, Entra ID (formerly Azure AD), etc.
They are commonly referred to as the identity provider (IdP)
To integrate SSO and User Provisioning, you need to extend access from your IAM system to Lemontaps.

2. SSO

With SSO your employees can log in to Lemontaps using their existing company credentials.
Lemontaps supports the SSO protocols SAML 2.0 and OIDC, and can natively connect to IAM providers like Entra ID, Okta, Google Workspace, and more
SSO enhances user convenience and security by reducing the number of passwords a user has to manage and minimizes the risk of password-related breaches

3. SCIM / User Provisioning

SCIM enables automatic synchronization of user data from your identity provider (IdP) to Lemontaps. This ensures your team's digital business cards are always up-to-date with:

Job titles
Contact info
Department
Status (active/inactive) etc.

SCIM also automates the creation and deactivation of user profiles, reducing manual work for IT teams.

How to set up SSO and SCIM - User Provisioning?

We recommend to set up SSO before SCIM, as SSO directly affects users in their login process, while they do not notice anything about provisioning.

1) Prerequisite: Email Domain Verification

You have to go through email domain verification first. To do this, please read our help article here.

2) Choose your Identity Provider in Lemontaps.

Navigate to Teams-Settings -> Integrations -> Identity Provider and choose your Identity Provider.

Read our IdP configuration guide here: → IdP Configuration guide

3)Setup Single-Sign-On (SSO)

Read our help article on how to set up Single-Sign-On: → Set up Guide SSO

and/or

4)Setup SCIM - User Provisioning

You can also read our help article for your SCIM setup: → Set up Guide - User Provisioning (SCIM)

FAQ

Does my IT department need to be involved for the setup?

Yes, the IT department typically needs to be involved in setting up IAM solutions like SSO and SCIM. They ensure that the integration with identity providers is configured correctly and that security protocols are adhered to.

How secure is SSO compared to traditional login methods?

SSO is generally more secure than traditional login methods because it reduces the number of passwords that need to be managed and remembered, decreasing the risk of password-related security breaches.

Should I start with setting up SSO or provisioning?

In general, the order is irrelevant. However, we recommend starting with SSO, as SSO directly affects users in their login process, while they do not notice anything about provisioning.

Can I deactivate SSO again?

SSO can only be deactivated as long as no one has logged in via SSO. Once a user has an SSO identity, it cannot easily be migrated back. In this case, contact support@lemontaps.com with your request.

Can I deactivate automatic provisioning (SCIM) again?

SCIM can be deactivated without any issues. However, we recommend stopping the provisioning in the IdP settings instead of deleting the configuration in Lemontaps. This way, provisioning can be easily restarted without requiring new configurations.