Provisioning

Article Number:020260

Provisioning is a feature used to manage user information in Kintone using the Identity Provider (IdP) such as Microsoft Entra ID and Okta.
With provisioning enabled, user information in the IdP will be automatically propagated to Kintone.

Items Propagated from IdP

When provisioning is enabled, the following items from IdP are propagated.

  • Login Name
  • Display Name
  • Surname
  • Given Name
  • E-mail Address
  • Available Services

Departments, Job Titles, and Groups (or Roles) will not be propagated.

Enabling Provisioning

  1. Click the gear-shaped menu button in the header.

  2. Click Users & System Administration.

  3. Click Provisioning. Screenshot: "Provisioning" is highlighted

  4. Click Create API Token. Screenshot: "Create API Token" is highlighted

  5. Select the validity period. Screenshot: Selecting the validity period in the "Create API Token" dialog

  6. Enter notes for this API token. Screenshot: Entering notes for this API token in the "Create API Token" dialog

  7. Click Create. Screenshot: "Create" is highlighted in the "Create API Token" dialog

  8. An API token is created.
    Screenshot: The created API token and the SCIM endpoint are displayed in the "Create API Token" dialog

  9. Register the API token and the SCIM Endpoint of Kintone with the IdP.
    Click the button to copy the API token. Screenshot: Copying the created API token in the "Create API Token" dialog

  10. Close the dialog.

  11. Enable "Propagate Provisioning". Screenshot: "Propagate Provisioning" is enabled

Disabling Provisioning

If "Propagate Provisioning" is disabled, user information in the IdP will no longer be propagated to Kintone.

Screenshot: "Propagate Provisioning" is disabled

Reissuing an API token

  1. Click Create API Token. Screenshot: "Create API Token" is highlighted

  2. Select the validity period. Screenshot: Selecting the validity period in the "Create API Token" dialog

  3. Enter notes for this API token. Screenshot: Entering notes for this API token in the "Create API Token" dialog

  4. Click Create. Screenshot: "Create" is highlighted in the "Create API Token" dialog

  5. An API token is created.
    Screenshot: The created API token and the SCIM endpoint are displayed in the "Create API Token" dialog

  6. Register the API token of Kintone with the IdP.
    Click the button to copy the API token. Screenshot: Copying the created API token in the "Create API Token" dialog

  7. Close the dialog.

  8. Disable the old API token. Screenshot: Old API token is disabled

  9. Click Delete. Screenshot: "Delete" for old API token is highlighted

Limitations

  • If "Propagate Provisioning" is enabled, users cannot change their login names.
  • You cannot synchronize "User available services" from Microsoft Entra ID.
  • If you perform any of the following actions while "Propagate Provisioning" is enabled, you might encounter errors when propagating user information from IdP.
    • Delete users propagated from IdP in Kintone.
    • Add users to Kintone first, then add the users with the same user names (same login names) to IdP.
    • Change user names (login names) in Okta.

Setting Guide

For details on how to propagate IdP users to Kintone, refer to the following pages.

Okta

Synchronize User Data with Okta's User Provisioning Feature

Microsoft Entra ID

User Provisioning and Synchronization with Entra ID