If your organization uses an identity provider that supports provisioning via SCIM protocol and you want to manage employee access to tools and services, you can use that feature to automatically provide your users with access to DocuWare.
This guide will walk you through the steps to configure DocuWare and give you directions to set up provisioning for your organization.
Docuware supports the following user provisioning features:
Automatic user creation: Users provisioned to DocuWare are automatically created.
Attribute synchronization: Updates to user attributes (such as userName, email, and active status) in the identity provider are reflected in DocuWare.
User deactivation: When users are deactivated in the identity provider, they are marked as disabled in DocuWare and can no longer log in.
Automatic group creation: Groups provisioned to DocuWare are automatically created, and users are assigned if they exist in DocuWare.
Group synchronization: Changes to provisioned groups in the identity provider are synchronized with DocuWare.
Configuring DocuWare
Go to DocuWare Configuration and choose general > User Provisioning.
In the User Provisioning plugin, activate the option Enable User Provisioning.
In the dropdown Identity Provider select Generic Identity Provider.
In the dropdown Application Registration select previously created app registration or click Create Application Registration button:
.png)
5. Write the Application Name:
.png)
From the just created app registration copy the values of
Application (Client) ID
Client secret
.png)
Click the Done button.
Add an identifier for your generic identity provider
.png)
In order to access DocuWare’s provisioning API copy:
Tenant URL
Token Endpoint
.png)
Click the Save button.
Configuring your Generic Identity Provider
To configure your generic identity provider for SCIM provisioning with DocuWare, ensure that user and group provisioning are set up carefully with the correct attribute mappings in accordance with the SCIM standard. Proper configuration and minimal mapping are essential to ensure reliable synchronization and to prevent provisioning errors.
In order to avoid configuration issues we also recommend reviewing the detailed documentation on how DocuWare’s user and group provisioning operates, available here: How to: User Provisioning v3 Service - API Integration Guide LINK!!!
Information: Using a Generic Identity Provider
Unlike configuring predefined identity providers in DocuWare, selecting the Generic Identity Provider option gives you full control over attribute mappings.
This means that the value mapped to the userName attribute is used exactly as provided by your identity provider, without automatic modification or normalization. For example, if you map an email address to the userName field, the full email (e.g., user@example.com) will be preserved and will not be shortened or trimmed to just the prefix (e.g., user).
This flexibility allows organizations to align provisioning behavior with their internal identity standards and avoid unintended transformations that may occur with predefined provider configurations.
Aligning user mapping between provisioning and SSO
When using both - User Provisioning and SSO (Single Sign-on) with DocuWare, it is essential to ensure consistency between SCIM provisioning and SSO authentication .
To allow both User Provisioning and SSO to work seamlessly together, map the same value to both the userName and email attributes in your identity provider.
This is important because:
During SCIM provisioning, users are created and identified in DocuWare based on the mapped attributes (such as userName and email).
During SSO login, DocuWare matches incoming user claims (typically from the SAML or OIDC token) against existing users.
If the values differ between provisioning and SSO DocuWare may not correctly match the authenticated user to the provisioned account, therefore the login attempt might not work.
Here is recommended approach on how to map userName and email attributes:
Map userName → name, email value (e.g., username, username@example.com)
Map email → email value (e.g., email@example.com) (could be same as userName)
Ensure the SSO claim for username and email also sends the same values
By keeping these values identical across provisioning and authentication:
Users created via SCIM will match the identities received during SSO login
Duplicate users and login issues are avoided
User lifecycle management remains consistent and predictable
This approach ensures that both provisioning and authentication mechanisms in DocuWare rely on the same unique identifier, enabling reliable user mapping across systems.