Directory sync setup

Set up SCIM 2.0 directory sync to automatically provision, update, and deprovision teammates from your identity provider, with role and seat mapping.

Written By Robi Rohumaa

Last updated 3 days ago

Overview

Directory sync connects Featurebase to your identity provider over SCIM 2.0 (System for Cross-domain Identity Management), so your provider manages who's on your team. When you add, change, or remove a user there, Featurebase applies your access policy automatically – provisioning teammates, assigning roles, setting seats, and deprovisioning them when they leave.

Directory sync doesn't enforce SSO sign-in. That's a separate setting, covered in Enterprise SSO setup.

Note: Directory sync is available on the Enterprise plan and is switched on by our team first.


Supported providers

Directory sync works over SCIM. Supported identity providers include:

  • Okta

  • Microsoft Entra ID (formerly Azure AD)

  • Google Workspace

  • OneLogin

  • JumpCloud

  • PingFederate

  • Rippling

  • CyberArk

  • SailPoint

Don't see yours? You can connect any other SCIM provider with a custom connection. The list of supported providers grows over time, so reach out if you're unsure whether yours is covered.


Before you start

You need:

  • The Enterprise plan, with Directory sync enabled by our team

  • A role with the Manage SSO permission to set up the connection and rules

  • At least one verified company domain

  • Admin access to your identity provider

To unlink or re-link individual teammates later, your role also needs the Manage Team Members permission.

If the page shows that setup needs to be enabled by our team first, contact us from that page.

Verify your domain

Featurebase needs at least one verified company domain before Directory sync can manage synced teammates.

  1. Go to Settings → Access & Security → Single sign-on.

  2. Under Enterprise identity, click Manage domains.

  3. Add your company domain and follow the steps in the Featurebase Enterprise Identity Portal.

Connect directory sync

  1. Go to Settings → Access & Security → Directory sync.

  2. Click Set up directory sync.

  3. Complete the SCIM setup in the Featurebase Enterprise Identity Portal, then return to Featurebase.

  4. Confirm Directory connection shows your connection.

The Featurebase Enterprise Identity Portal gives your IT team the SCIM endpoint and token, plus the steps for your provider.


Set your access policy

Group rules decide which synced teammates get access, and what role and seat they receive. Open Directory sync access policy and add ordered group rules.

To add a rule:

  1. Click Add rule under Ordered group rules.

  2. Choose the IdP group.

  3. Choose the Featurebase role.

  4. Choose the Seat target.

Each rule maps one identity provider group to a role and seat. Rules save automatically once a group and role are set.

Note: Group rules only apply to users your identity provider sends to Featurebase. In your provider, assign the relevant users or groups to the Featurebase app – otherwise no one will sync.

How rule order works:

  • Rules run from top to bottom, and the first matching rule wins

  • Drag rules to change their order

  • A teammate who matches no rule doesn't get directory-synced access

Seat targets

Each rule sets a seat target:

  • Full seat – full workspace access based on the assigned role

  • Lite seat – a lighter seat for collaborators with simplified access

  • Full seat + Copilot – a Full seat with Copilot enabled, where available on your plan

Copilot is an add-on to a Full seat and isn't available with Lite seat.


Seats and billing

Synced teammates only take up a paid seat once they sign in. Until then they show as Provisioned and aren't billed.

On first sign-in, Featurebase activates the seat target from their group rule. What that means for billing depends on your plan.

Monthly plans

Seats are usage-based. When a synced teammate signs in for the first time, their mapped seat is added to your subscription automatically and billed from then on. You don't pre-buy seats – teammates are added to billing as they sign in.

Yearly plans

You have a fixed number of seats for your term. A synced teammate activates on first sign-in only if a seat of their mapped type is still available. If you're out of seats, they stay Provisioned and see an activation-pending message until there's room. To let them in:

  • Add more seats

  • Free a seat, for example by deprovisioning another teammate

  • Change their rule's seat target to a type that's available, such as Lite

Full seats, Lite seats, and Copilot each have their own limit. If a teammate's target includes Copilot but no Copilot capacity is free, they still get the Full seat, and Copilot is added once capacity opens up.

Note: When a synced teammate is removed, their seat is freed right away.


What gets synced

Once a teammate is managed by Directory sync, your identity provider is the source of truth for them. Directory sync keeps in sync:

  • Email and name

  • Role and seat, based on your group rules

  • Membership – adding teammates and removing them

It does not change your Featurebase teams. Group rules map an identity provider group to a role and seat only, so team membership stays managed in Featurebase. Other directory fields, like job title or phone number, aren't synced.


Turning on Directory sync with an existing team

You don't need to start from an empty workspace. When you turn on Directory sync, existing teammates are brought under management automatically as your identity provider sends their details, matched by email address.

  • On the first match, a teammate keeps their current role even if a group rule would assign a different one. Later changes follow your rules

  • Teammates who aren't in your directory stay manually managed – Directory sync won't touch them

  • If a teammate's email later changes in your identity provider, Featurebase updates it automatically

Tip: Set up your group rules before turning on Directory sync, and add anyone who should stay manual to Protected members first.

Protected members

Protected members are skipped by Directory sync. Their role, seat, and access aren't changed or removed by SCIM, even if their directory access changes. Use this for teammates who should keep manual access.

Add them under Exceptions & manual overrides. The workspace owner is always protected.

Manage individual teammates

To take one teammate out of Directory sync, go to Settings → Members and teams, open the member, and choose Unlink from directory sync. After unlinking:

  • You manage the teammate's role, seat, and access manually

  • Directory sync no longer changes or removes them

Choose Re-link to directory sync to hand them back. Re-linking works only if their directory user still exists and matches a mapped group.

On the Members page, badges show how each teammate is managed: SCIM-managed, Manual override, Protected, or Provisioned.

Re-sync the directory

Use Re-sync directory to have Featurebase re-check your directory's current state against your rules. Make sure your group rules are correct first.

Note: Re-syncing with no saved rules can remove access for SCIM-managed teammates, unless they're protected, unlinked, or the workspace owner.


What happens to teammates

Added

A teammate in a mapped group is added with that rule's role and seat target.

Updated

Featurebase updates their name, role, and seat target from your directory and rules. For active teammates, a later seat change doesn't move them back to Provisioned; if capacity is short, the change stays pending until capacity frees up.

Removed or deactivated

If a linked, unprotected teammate is deleted, deactivated, or no longer matches any rule, Featurebase removes their workspace access and signs them out.

Restored

To bring a removed teammate back, re-add them in your identity provider and make sure they match a group rule. The restore has to come from your identity provider – inviting them, an SSO sign-in, or a manual change in Featurebase won't do it.

If they were removed within the last 14 days, their previous role and seat come back automatically. After that, they return as a new teammate and pick up the role and seat from your group rules.


FAQs