Developers

Search

How to manage users with SCIM

Learn how to connect Framer and Okta using SCIM to automate user provisioning across your Organization.

SCIM allows your identity provider (IdP) to manage user access to your Framer Organization automatically. Once configured, your IdP becomes the authoritative source for adding, updating, and removing users in Framer. This guide walks through the setup process in a clear sequence, showing how each step contributes to a fully connected system.

SCIM support is currently in pilot for selected organizations. If you'd like to participate, contact your Framer account manager.

Step 1: Generate the SCIM token

To connect your identity provider to Framer, you’ll first create a SCIM token. This lets Okta securely communicate with your Framer Organization. A Workspace Admin must complete this step.

  1. Open Organization settings.

  2. Navigate to the SCIM tab.

  3. Generate a SCIM token and copy it. You will use this token in Okta to establish the connection.

Step 2: Configure SCIM provisioning in Okta

With your token ready, you can switch over to Okta. Here, you’ll tell Okta how to reach Framer and what actions it’s allowed to perform. After this, Okta will be able to create, update, and deactivate users automatically.

  1. Open your Framer application integration in Okta.

  2. In General, set Provisioning to SCIM and save the changes.

  3. Go to Provisioning → Integration, and enter the following:

    • SCIM connector base URL: https://api.framer.com/auth/scim/v2

    • Unique identifier field: email

    • Enable Import New Users and Profile Updates, Push New Users and Push Profile Updates.

    • Set Authentication Mode to HTTP Header.

    • Paste the SCIM token from Framer into the Authorization header.

  4. Save your changes.

Step 3: Enable provisioning actions in Okta

With connectivity established, Okta needs explicit permission to carry out provisioning tasks in Framer.

  1. Open ProvisioningTo App.

  2. Select Edit and enable Create Users, Update User Attributes and Deactivate Users.

  3. Save the configuration.

Step 4: Add the Organization role attribute

This step defines how Okta may assign Organization-wide roles to users in Framer during provisioning.

  1. Scroll to Attribute Mappings in the Framer integration and choose Go to Profile Editor.

  2. Select Add Attribute and enter the following:

    • Data type: string

    • Display name: Framer Organization role

    • Variable name and External name: organizationRole

    • External namespace: urn:ietf:params:scim:schemas:extension:framer:2.0:User

    • Description: Role to assume in all Workspaces in the Framer Organization

  3. Under Enum, enable Define enumerated list of values and add:

    • Admin: admin

    • Editor: editor

    • Viewer: viewer

  4. Leave Attribute required unchecked.

  5. Save the attribute.

Organization role

The organizationRole attribute determines the user’s role across all Workspaces in your Framer Organization at the time of provisioning. You can update this attribute later to adjust a user’s Organization-wide access. Workspace-level and project-level permissions can still be refined directly in Framer.

Provisioning behavior

When a user is assigned the Framer application in your IdP:

  • Framer checks the user’s primary email.

  • If a matching Framer account exists, the system links it.

  • If no match is found, Framer creates a new user.

By default, Framer adds newly provisioned users to the oldest Workspace in the Organization, applying that Workspace’s default role.

If organizationRole is provided, Framer adds the user to all Workspaces with that role.

Workspace membership and role adjustments may still be made manually in Framer after provisioning.

Deprovisioning behavior

When a user is deprovisioned through your IdP, Framer removes them from all Workspaces and Projects within your Organization. Their Framer account remains active, retaining access to any Workspaces outside of your Organization. If you’d like to request account deletion, please contact our support team through our contact page.

Framer prevents removal of the last Organization Admin.

  • If a Workspace would lose its only Admin, Framer assigns an Admin from another Workspace.

  • If the final Admin is targeted for deprovisioning, the operation will fail.

Updates to name and email

The current SCIM integration controls access only. Changes to names or emails in your IdP do not sync to Framer at this time.

SCIM allows your identity provider (IdP) to manage user access to your Framer Organization automatically. Once configured, your IdP becomes the authoritative source for adding, updating, and removing users in Framer. This guide walks through the setup process in a clear sequence, showing how each step contributes to a fully connected system.

SCIM support is currently in pilot for selected organizations. If you'd like to participate, contact your Framer account manager.

Step 1: Generate the SCIM token

To connect your identity provider to Framer, you’ll first create a SCIM token. This lets Okta securely communicate with your Framer Organization. A Workspace Admin must complete this step.

  1. Open Organization settings.

  2. Navigate to the SCIM tab.

  3. Generate a SCIM token and copy it. You will use this token in Okta to establish the connection.

Step 2: Configure SCIM provisioning in Okta

With your token ready, you can switch over to Okta. Here, you’ll tell Okta how to reach Framer and what actions it’s allowed to perform. After this, Okta will be able to create, update, and deactivate users automatically.

  1. Open your Framer application integration in Okta.

  2. In General, set Provisioning to SCIM and save the changes.

  3. Go to Provisioning → Integration, and enter the following:

    • SCIM connector base URL: https://api.framer.com/auth/scim/v2

    • Unique identifier field: email

    • Enable Import New Users and Profile Updates, Push New Users and Push Profile Updates.

    • Set Authentication Mode to HTTP Header.

    • Paste the SCIM token from Framer into the Authorization header.

  4. Save your changes.

Step 3: Enable provisioning actions in Okta

With connectivity established, Okta needs explicit permission to carry out provisioning tasks in Framer.

  1. Open ProvisioningTo App.

  2. Select Edit and enable Create Users, Update User Attributes and Deactivate Users.

  3. Save the configuration.

Step 4: Add the Organization role attribute

This step defines how Okta may assign Organization-wide roles to users in Framer during provisioning.

  1. Scroll to Attribute Mappings in the Framer integration and choose Go to Profile Editor.

  2. Select Add Attribute and enter the following:

    • Data type: string

    • Display name: Framer Organization role

    • Variable name and External name: organizationRole

    • External namespace: urn:ietf:params:scim:schemas:extension:framer:2.0:User

    • Description: Role to assume in all Workspaces in the Framer Organization

  3. Under Enum, enable Define enumerated list of values and add:

    • Admin: admin

    • Editor: editor

    • Viewer: viewer

  4. Leave Attribute required unchecked.

  5. Save the attribute.

Organization role

The organizationRole attribute determines the user’s role across all Workspaces in your Framer Organization at the time of provisioning. You can update this attribute later to adjust a user’s Organization-wide access. Workspace-level and project-level permissions can still be refined directly in Framer.

Provisioning behavior

When a user is assigned the Framer application in your IdP:

  • Framer checks the user’s primary email.

  • If a matching Framer account exists, the system links it.

  • If no match is found, Framer creates a new user.

By default, Framer adds newly provisioned users to the oldest Workspace in the Organization, applying that Workspace’s default role.

If organizationRole is provided, Framer adds the user to all Workspaces with that role.

Workspace membership and role adjustments may still be made manually in Framer after provisioning.

Deprovisioning behavior

When a user is deprovisioned through your IdP, Framer removes them from all Workspaces and Projects within your Organization. Their Framer account remains active, retaining access to any Workspaces outside of your Organization. If you’d like to request account deletion, please contact our support team through our contact page.

Framer prevents removal of the last Organization Admin.

  • If a Workspace would lose its only Admin, Framer assigns an Admin from another Workspace.

  • If the final Admin is targeted for deprovisioning, the operation will fail.

Updates to name and email

The current SCIM integration controls access only. Changes to names or emails in your IdP do not sync to Framer at this time.

Updated

Related articles

How to proxy with Cloudflare

How to run custom section experiments

Organizations, Workspaces, and Folders

Proxying with NGINX

Set up a custom canonical URL