Enable Provisioning

Overview

The QueryPie Provisioning feature, based on the SCIM 2.0 protocol, supports user identity synchronization to enhance existing Single Sign-On (SSO) capabilities, providing a more secure environment for unified user authentication and management. By supporting user lifecycle management, administrators can conveniently manage new hires and departures within the organization from a single source of truth.

Prerequisites

• The following QueryPie admin roles can activate this feature:

  • Owner

  • System Admin

Enabling QueryPie Provisioning

1. Navigate to the Administrator > General > User Management > Provisioning menu in the QueryPie app.

2. Click the Enable button next to Provisioning to activate the SCIM feature.

3. Save the address provided as the SCIM Endpoint for future use as the Base URL.

4. To issue an Access Token, click the Generate Token button on the right.

5. When the popup appears, copy the Access Token to input into the IdP’s token information later.

   

   1. Since the token value cannot be retrieved again, it is recommended to proceed directly to the Identity Provider, which will be the source of truth, without closing the popup.

      • Refer to [Okta] Provisioning Integration Steps.

   2. If you lose the token value, delete the existing token and issue a new one by repeating step 4.

6. Click the Confirm button to close the window.

SCIM Token Information

1. Access Tokens can be generated via the Generate Token button, with a maximum of 2 tokens at a time.

2. The token value is exposed only once at the time of creation and is not shown afterward.

3. The token is intended exclusively for SCIM API use and cannot be used for other endpoints beyond /api/scim/v2.

4. Newly generated tokens are valid for one year from the issuance date (yyyy-MM-dd).

   1. Once expired, tokens are marked as Expired and cannot be used with the SCIM API.

   2. Administrators must issue a new token and update the IdP with this new token before the expiration date.

5. Tokens can be deleted by selecting the token and clicking the DELETE button.

6. If an administrator deactivates and then reactivates Provisioning after issuing tokens, all existing tokens are deleted upon deactivation, and a new valid token must be generated.