We know how important it is for some companies to automate user management and ensure secure, scalable access control.
Now, with SCIM (System for Cross-domain Identity Management) support, you can automatically manage users in Tomorro directly from your Identity Provider.
This allows you to use your Identity Provider to automatically manage access, roles, and groups within Tomorro. Specifically, you can:
Provision a user (grant access)
Deprovision a user (remove access)
Assign and update a user’s role (Admin, Manager, Contributor)
Create and delete Tomorro groups
Assign users to specific Tomorro groups
Connect on Tomorro
Connect on Tomorro
In order to set up the integration, please go to the integration setup page on Tomorro and open the section User Provisioning to start the setup. Only admins have access to this section.
Two options here :
Default Substitute
A default substitute user can be configured by the organization directly within Tomorro. This substitute will be automatically assigned whenever a user is removed via SCIM.
This substitution logic is specific to Tomorro and is not part of the SCIM standard, meaning Identity Providers cannot send the necessary information for this process. The default substitute is therefore our solution to ensure continuity and data ownership when users are deprovisioned through SCIM.
Restrict group assignment to your identity provider only
You can choose to restrict group assignment in Tomorro to your Identity Provider only. When this setting is enabled, groups and user-group memberships can no longer be edited manually in Tomorro — they are fully managed via SCIM.
This ensures consistency between your Identity Provider and Tomorro, avoids manual errors, and reinforces centralized access management. It’s especially useful for organizations looking to enforce strict governance and automation over user roles and group structures.
Setup on your identity provider OKTA
Setup on your identity provider OKTA
STEP 1 - Create a custom app on OKTA
STEP 1 - Create a custom app on OKTA
If you're already using a Tomorro application for SAML login you can skip ahead to step 2.
Connect to your “OKTA account > Settings > Application”
Click on “create App Integration”
Select "SAML 2.0", then click "Next"
Enter the name of the application, for example "Tomorro", then add a logo
You now need to configure SAML, as explained in this article. Make sure to enter the settings exactly as shown in the screenshots below, then click "Next" in the bottom-right corner
Choose the first option, then click on “finish” on the bottom right
STEP 2 - Configure SCIM settings for the app
STEP 2 - Configure SCIM settings for the app
On the application page, open the "General" settings section, then enable editing
Enable SCIM provisioning, then save
Go to the "Provisioning" settings, then enable editing
Fill in the initial parameters as shown in the screenshot below, then open the Tomorro SCIM integration module in another tab
Copy the information from Tomorro’s SCIM module into the SCIM connector base URL and Authorization fields as shown below, then test the connection
Here’s what you should see appear. Then close this window and save
STEP 3 - Configure SCIM provisioning for your application
STEP 3 - Configure SCIM provisioning for your application
You should now be on the "Provisioning" page of your Tomorro application
Enable editing, select the first three options — "Create users", "Update user attributes", and "Deactivate users" — then save
At the bottom of this page, you’ll find the attribute mappings. Delete all unnecessary attributes, keeping only "Username", "Given name", "Family name", and "User Type", by clicking the cross on the far right of each row
STEP 4 - Select the Okta groups to be created in Tomorro
STEP 4 - Select the Okta groups to be created in Tomorro
You can automatically recreate groups from Okta in your Tomorro application. To do this, go to the "Push Groups" section within the application
Select "Push groups", then "Find groups by name", search for the group you want to push from Okta to Tomorro, and save.
You’ll now see this group appear in Tomorro with the same name
STEP 5 - Provision users
STEP 5 - Provision users
Via groups
Via groups
To grant access to the application directly from Okta groups, you need to assign the application to those groups. To do this, go to the "Groups" section under "Directory" in the left-hand navigation.
Click on one of your Okta groups, then go to the "Applications" tab
Assign the Tomorro application to the group
That’s it! All members added to this group will be provisioned directly in Tomorro. If the group itself is pushed to Tomorro, its members will also be added to the corresponding group, allowing you to grant access to the right folders, templates, and projects without any extra effort.
Individually
Individually
You can also assign the Tomorro application to users individually. To do this, go to the "People" section under "Directory" in the left-hand navigation
In the "Applications" tab, select "Assign Application", and perform the same steps as for groups. The user will then be automatically provisioned in Tomorro
STEP 6 - Choose your users Tomorro role from Okta
STEP 6 - Choose your users Tomorro role from Okta
You can also define the Tomorro role (Admin, Manager, Contributor) for your users directly from Okta. This can be done either at the group level or individually. By default, members will be created with the Contributor role.
Here are the values to enter in the User Type field and their corresponding Tomorro roles:
Okta attribute | Tomorro role | Tomorro role |
admin | Admin | Admin |
manager | Manager | Creator - Manager |
user | Contributor | Creator - Contributor |
viewer | Viewer |
The Viewer-Signatory role cannot be provisioned via SCIM.
Only the following roles can be provisioned: Administrator, Manager, Contributor and Viewer.
Via groups
When assigning an application to a group, an attribute window appears allowing you to assign values automatically. You can fill in the User Type value in this window so that all users in that group are automatically assigned the correct role in Tomorro
Individually
In a user profile, open the Profile section and enable editing
Find the User Type field and assign the appropriate value. Confirm the value by pressing Enter or by clicking the Save button at the bottom of the page
The SAML protocol is now activated for Tomorro !
Additional Information & Our Recommendations
Groups created in Tomorro cannot be synced back to Okta. We recommend recreating these groups directly in Okta, then provisioning them to Tomorro via SCIM to assign access to the various folders and templates. Although this requires an initial time investment, it will save you valuable time in the long run by automating more granular access control in Tomorro directly from Okta.
It can be clearer and more efficient to separate “access” groups and “permission” groups. For example, you might have different groups for your departments or geographic regions granting access to specific templates or parts of your contract library, and then have an “Admins” group and a “Managers” group that manage the
userTypeattribute.