Skip to main content
SCIM (System for Cross-domain Identity Management) automatically creates, updates, and deprovisions users in Retrac based on your Google Workspace directory — reducing manual invite management for large teams. SCIM is available on Enterprise plans alongside SAML SSO.
Configure Google Workspace SAML first so provisioned users can sign in. SCIM manages workspace membership; SAML handles authentication.

Prerequisites

  • Google Workspace admin access
  • Retrac workspace owner role
  • Enterprise plan with SCIM enabled
  • SAML SSO configured (recommended)

Set up Google Workspace SCIM

1

Open Retrac SCIM settings

In Retrac, go to Settings → Security and open SCIM configuration. Generate or copy your:
  • SCIM endpoint URL
  • Bearer token (shown once — store in a secrets manager)
2

Enable provisioning in Google

In the Google Admin console, open your Retrac SAML app (or create a provisioning integration if your Google edition supports automated user provisioning for custom apps).Enable Automatic provisioning and enter the Retrac SCIM endpoint URL and bearer token when prompted.
3

Map attributes

Map Google directory attributes to Retrac SCIM fields:
Google attributeSCIM field
Primary emailuserName / emails
First namename.givenName
Last namename.familyName
Active statusactive
Ensure the email sent by Google matches how users are identified in Retrac.
4

Assign users or groups

Assign the Retrac app to Google users or groups who should be provisioned. Google pushes create, update, and deactivate events to Retrac via SCIM.
5

Verify provisioning

  1. Assign a test user in Google.
  2. Confirm they appear under Settings → Members in Retrac.
  3. Deactivate the test user in Google and confirm they lose workspace access.
Pair SCIM with location access — provision users into Retrac, then let owners assign location permissions in Settings → Members.

Rotate credentials

If your bearer token may have been exposed, regenerate it in Settings → Security and update Google with the new token before revoking the old one.

Remove SCIM

Disconnect SCIM from the Security page when decommissioning automated provisioning. Review active members afterward. See Security documentation.