We know how important it is for some companies to automate user management and ensure secure, scalable access control.
Now, with SCIM (System for Cross-domain Identity Management) support, you can automatically manage users in Tomorro directly from your Identity Provider.
This allows you to use your Identity Provider to automatically manage access, roles, and groups within Tomorro. Specifically, you can:
Provision a user (grant access)
Deprovision a user (remove access)
Assign and update a user’s role (Admin, Manager, Contributor)
Create and delete Tomorro groups
Assign users to specific Tomorro groups
Connect on Tomorro
Connect on Tomorro
In order to set up the integration, please go to the integration setup page on Tomorro and open the section User Provisioning to start the setup. Only admins have access to this section.
Two options here :
Default Substitute
A default substitute user can be configured by the organization directly within Tomorro. This substitute will be automatically assigned whenever a user is removed via SCIM.
This substitution logic is specific to Tomorro and is not part of the SCIM standard, meaning Identity Providers cannot send the necessary information for this process. The default substitute is therefore our solution to ensure continuity and data ownership when users are deprovisioned through SCIM.
Restrict group assignment to your identity provider only
You can choose to restrict group assignment in Tomorro to your Identity Provider only. When this setting is enabled, groups and user-group memberships can no longer be edited manually in Tomorro — they are fully managed via SCIM.
This ensures consistency between your Identity Provider and Tomorro, avoids manual errors, and reinforces centralized access management. It’s especially useful for organizations looking to enforce strict governance and automation over user roles and group structures.
Setup on your identity provider AZURE
Setup on your identity provider AZURE
STEP 1 - Create a custom app on AZURE
STEP 1 - Create a custom app on AZURE
If you're already using a Tomorro application for SAML login you can skip ahead to step 2.
Go to Entreprise applications > Click on the button “New application”
Then click on the “Create your own application” button.
You can choose the name of your app, “Tomorro” for instance
And select the option “Integrate any other application you don’t find in the gallery”.
STEP 2 - Configure SCIM settings for the app
STEP 2 - Configure SCIM settings for the app
Go to “provisioning” on the left bar
Fill in the information from the SCIM module in Tomorro by copying and pasting the details into the Azure integration setup, then test the connection.
Once tested, save the changes
A "Mappings" section should then appear below the test button, allowing us to continue with the configuration.
STEP 3 - Mapping
STEP 3 - Mapping
In this step, we’ll update the existing mappings, create a new mapping to automatically assign Tomorro roles from Azure, and finally remove any unnecessary fields.
Open the users mapping section
Step 3.1 - Adjust existing attribute mappings
Step 3.1 - Adjust existing attribute mappings
UserName :
Open the attribute with “
userName” as customappsso by clicking on the line
Make sure the information is filled in as shown below, especially that the source attribute is set to "mail"
Then confirm by clicking the "OK" button in the lower-left corner.
ExternalId (same as userName) :
Open the attribute with “
externalId” as customappsso by clicking on the line
Make sure the information is filled in as shown below, especially that the source attribute is set to "objectId"
Then confirm by clicking the "OK" button in the lower-left corner.
Step 3.2 - Assign Tomorro roles via the userType attribute
Step 3.2 - Assign Tomorro roles via the userType attribute
To assign a Tomorro role (Admin, Manager, Contributor) directly from Azure, you’ll need to add a new mapping.
Click on “add a new mapping”
Fill in all the information as shown below, making sure the target attribute is set to userType.
As for the source attribute, it can be any attribute you use in Azure. In this example, we’ve used jobTitle, but you could also create a custom attribute such as tomorroRole.
You can then populate this attribute value from Azure to define the role to assign in Tomorro, either directly from the user profile or via an Azure group assignment. Below is an example of how to set the attribute from a user profile for an Admin role.
The value mappings to enter in the attribute for the different Tomorro roles are as follows:
Azure attribute | Tomorro role | Tomorro role |
admin | Admin | Admin |
manager | Manager | Creator - Manager |
user | Contributor | Creator - Contributor |
viewer | Viewer |
Step 3.3 - Remove unnecessary attribute mappings
Step 3.3 - Remove unnecessary attribute mappings
Finally, delete all unnecessary attributes using the "Delete" button at the far right of the row, keeping only the 6 attributes where customAppsso is:
userNameactivename.givenNamename.familyNameexternalIduserType
Then save your changes using the button at the top left.
STEP 4 - Enable automatic provisioning
STEP 4 - Enable automatic provisioning
Now, go back to the previous section using the breadcrumb. Then refresh the page if needed after a few minutes to see the Tomorro application.
Open the "Provisioning" section, then open the "Provisioning" subsection again.
Enable automatic provisioning, then save.
STEP 5 - Select the groups and users to provision
STEP 5 - Select the groups and users to provision
Open the "Users and Groups" section, then select "Add user/group".
Open the right-hand panel by clicking on "None selected" under "Users and Groups." Then select a test user or group in the right panel. Save at the bottom of the panel.
Confirm the operation by clicking "Assign" in the lower-left corner.
All assigned users and groups will be provisioned in Tomorro. If provisioning is done via a group, the group will be created in Tomorro, and the users will be added to that group.
The SCIM protocol is now activated for Tomorro !
Additional Information & Our Recommendations
Groups created in Tomorro cannot be synchronized back to Azure groups. We recommend recreating these groups in Azure first, then using these newly provisioned groups via SCIM to assign access to the various folders and templates in Tomorro. Although this requires an initial time investment, it will save you valuable time in the long run by automating more granular access control in Tomorro directly from Azure.
It can be clearer and more efficient to separate "access" groups from "permission" groups. For example, you might have different groups based on your departments or geographic regions that grant access to certain templates or parts of your contract library, and then have an "Admins" group and a "Managers" group that control the
userTypeattribute.
Azure supports highly precise and complex mappings. If this is a critical aspect for you, please refer directly to the Microsoft documentation for more details.