New in Holistics: SCIM provisioning and forced SSO are now generally available on the Custom Plan.
If you’ve been managing hundreds of users in Holistics by hand, this is for you. Your Identity Provider (Okta or Microsoft Entra ID / Azure AD) can now be the single source of truth for who has access to Holistics, and how. No more manual invites, stale accounts, or drift between IdP groups and Holistics groups.
What you get:
- Automated user lifecycle. Assign someone to Holistics in your IdP and they get an account with the right role. Remove them and the account deactivates. No manual steps.
- Group sync. Okta or Entra ID groups push to Holistics as synced groups. Membership changes propagate automatically. If a pushed group name matches an existing manual group in Holistics, they auto-link with no rework needed.
- Group-to-role mapping. Map IdP groups to Holistics roles (Viewer, Explorer, Analyst, Admin). When a user belongs to multiple groups with different roles, least-privilege applies.
- Clean coexistence with manual setups. Synced and manual users/groups live side by side. Synced entities are read-only in Holistics. Manual entities stay fully editable. The read-only boundary is at the membership level, so you can still clean up pre-SCIM assignments without getting stuck.
To get started, head to your workspace’s SSO & SCIM settings (Custom Plan), configure your IdP, and set up your group-to-role mapping before syncing users (this prevents existing admins from being downgraded).
More details in the docs: [Upcoming] Auto-provisioning Holistics users with SCIM | Holistics Docs (4.0)
Would love to hear how your team rolls this out - especially the migration from manual to IdP-managed.