Maze supports SCIM (System for Cross-domain Identity Management) integration with identity providers (IdPs) via WorkOS. SCIM automates team management directly from your IdP, eliminating manual user provisioning while ensuring secure, compliant access control at scale.
Before you start
- SCIM is only available for teams with SSO enabled
- You must be an Owner or Admin to configure SCIM integration
- Ensure your identity provider supports SCIM 2.0 protocol
Who can use this feature
SCIM support is available on all Enterprise plans with SSO enabled.
How SCIM works with Maze
What roles can be managed
- Admins and Members: SCIM can provision, update, and remove these roles
- Owner protection: Owners are protected from automated changes to prevent account lockouts
What changes are supported
SCIM automatically reflects the following changes from your IdP:
- User added: New users are invited to Maze and can log in via SSO
- User removed: Users are deactivated and removed from your Maze workspace
- Role changed: User permissions are updated (Admin and Member roles only)
Webhooks notify Maze immediately when directory changes occur.
Important: SCIM uses an invite-first approach—users are invited to Maze rather than having accounts automatically created. They must accept the invitation and log in via SSO to complete the process. This also enforces the “Required SSO Log-in” setting and updates team discoverability to “Hidden: invite only”.
How to setup SCIM for your team
- As an Owner or Admin, navigate to your Team settings
- Navigate to the Security section
- If you have SSO enabled you will see a new section for enabling SCIM
- Click on Enable
- This will redirect you to WorkOS Directory Sync portal with further instructions
- Once SCIM has been successfully setup that status will change to Active
- You can manage your SCIM connection by clicking on Manage
Managing User Roles via SCIM
Roles in Maze are managed through the custom user attribute mazeRole.
You can map your IdP user field to the mazeRole attribute in your SCIM configuration under Team Settings.
In the example above, idp_maze_roleis a custom user attribute defined in your identity provider’s SCIM application and mapped to the mazeRole attribute in your Maze Team Settings.
Configure this attribute with the following parameters to ensure it’s recognized by Maze during user provisioning:
| Setting | Value |
| Data Type | string |
| Namespace | urn:ietf:params:scim:schemas:core:2.0:User |
The allowed roles in this field are as follows:
- Admin
- Editor
If any other value is added, or no value is passed along or mapped, the user will be ignored and not added to your team. This enables collaborators to authenticate through your Identity Provider without being added as a member of your team.
All users are allowed to be managed via SCIM, with the exception of the team owner. Any role change or user removal on the team owner will not be processed. Changing team ownership should still be managed through your team settings.
FAQ
Which identity providers are supported?
You can find a complete list of supported IdPs in the WorkOS documentation.
What happens if I disable SSO? Maze automatically removes all SCIM settings when SSO is turned off.
What if there's a sync conflict? Updates are applied one at a time per user, with the newest information always taking priority. As a backup, there’s a nightly sync to ensure Maze always matches your IdP directory, correcting any potential drift.
Can someone use SCIM to access accounts they shouldn't? No. The invitation-first pattern prevents unauthorized account access—users must accept an invitation before they can log in.
What if SCIM fails to sync a user? Failed operations can safely retry, and all SCIM actions are logged for troubleshooting. The nightly reconciliation helps catch and correct any missed updates.