📌 This feature is for our Enterprise Plan customers
If you wish to upgrade your plan to Enterprise, please book a demo
Important Notes
You need to have an active WorkOS SSO connection for Synthesia, see this guide
SCIM User schema used by Synthesia:
urn:ietf:params:scim:schemas:core:2.0:User.By default, new users land in the workspace set as Default in your Synthesia Organization settings (Settings → Collaboration → Auto-capture new users from listed domains (must be enabled) → Default workspace)
User Management in Okta
After you set up the SCIM app in Okta:
Go to Directory and select Profile Editor
Click App and then select Add Attribute to set up user roles.
Assign users (and/or groups) to the SCIM app.
On assignments, select Assign to Groups.
Once assigned, their Synthesia accounts will be created and added to the default workspace in Synthesia (unless a push group or other logic overrides it).
In the dialog box, click Override on the User Type field, type the desired license for all members of this group. We currently support only the organization-admin role value.
✍️ You are able to use different groups for admins and license settings. The above is just an example.
Synthesia supports userType values:
org-full-licenseorg-free-licenseorg-restricted-license.If none is specified, the workspace’s Default license is applied.
💡 Required roles format (multi-valued) we accept:
"roles": [ { "type": "synthesia_role", "value": "organization-admin" } ]If you don’t have a role or userType attributes in Okta SCIM provisioning, you can add these custom attributes in the Okta Profile Editor for the SCIM application.
Then you can map these attributes to existing ones in the SCIM app.
Mappings → Okta User to SCIM App:
Map
user.synthesiaRole→roles[type eq "synthesia_role"].valueMap
user.userType→userType
Deprovisioning
✍️ We don’t delete the accounts. We remove them from the workspace, and the content is transferred to the oldest Organization Admin in a folder named with the user’s email.
In the SCIM App’s Provisioning tab → ensure Deactivate Users is enabled.
Off-boarding workflow:
Unassign the user from the SCIM app or
Deactivate the user’s Okta account in the app.
Synthesia will handle the account removal from the workspace and the content-transfer logic.
User Management in Entra AD
In the SCIM app:
In the Provisioning tab, go to Attribute Mappings
Select Edit Provision Azure Active Directory Users
Show Advanced Options
Click Edit attribute list (if needed) so that
rolesis available as an attribute.
For userType attribute, Synthesia supports values:
org-full-licenseorg-free-licenseorg-restricted-licenseIf none is specified, the workspace’s Default license is applied.
In the SCIM App, select Provisioning
Click Mappings and click Edit Provision Azure Active Directory Users
Add new mapping:
Target attribute:
userTypeMapping type: Expression (or Direct)
Example Expression:
IIF(IsMemberOf("Synthesia-Full"), "org-full-license", IIF(IsMemberOf("Synthesia-Restricted"), "org-restricted-license", "org-free-license"))
Or map it directly to a custom attribute on the user.
Save mappings → Trigger provisioning (or re-assign user) → Confirm the payload includes
"userType": "<value>".
Deprovisioning
✍️ We don’t delete the accounts. We remove them from the workspace, and the content is transferred to the oldest Organization Admin in a folder named with the user’s email.
In the SCIM App’s Provisioning tab → ensure Deactivate Users is enabled.
Off-boarding workflow:
Unassign the user from the SCIM app or
Deactivate the user’s Okta account in the app.
Synthesia will handle the account removal from the workspace and the content-transfer logic.
Push Groups → Workspaces
In both Okta and Entra AD, you can push Groups to Synthesia, but only when the Push Group name exactly matches a workspace name in Synthesia.
For example:
Create an Okta group named “Marketing Workspace”. If the workspace in Synthesia is exactly “Marketing Workspace”, when you push that group, all its members will be added to the “Marketing Workspace” in Synthesia.