Feature: Users and groups provisioned via SCIM can be automatically assigned to the intended Organization
Description: We are using Auth0 Organizations with enterprise connections, and we have a gap that affects SCIM-based onboarding. SCIM is meant to provision users and groups ahead of first login, so downstream systems can work with a complete identity dataset immediately. Today, SCIM can create users in the tenant, but those users are not organization members unless they later log in (or are assigned through separate API flows). This breaks the expected “pre-provisioned and ready” model.
Please add native support so that users provisioned via SCIM can be automatically assigned to the intended Organization, either:
- As a default platform behavior, or
- As a tenant/connection/organization-level configuration toggle (recommended).
Suggested behavior:
On SCIM user creation, assign the user to the mapped Organization automatically.
Keep this optional/configurable for backward compatibility.
Ensure this works without requiring first login or custom post-processing pipelines.
Business impact:
This would significantly reduce implementation complexity, remove brittle custom automation, and better align Auth0 Organizations with enterprise SCIM provisioning expectations.
Use-case:
- SCIM’s core value is pre-creation of users and groups before first login.
- Customers provision users/groups on their own timeline, and we do not control when (or if) users first authenticate.
- Post User Registration Actions are not a viable fix for SCIM users, since that trigger is for Database/Passwordless sign-ups and does not run for SCIM-provisioned users.
- We are forced into complex workarounds (event stream + custom handler + Management API assignment) just to achieve deterministic organization membership.