Enterprise accounts with SSO enabled can use SCIM to create and manage team member accounts and user groups on Vimeo. SCIM (System for Cross-domain Identity Management) is a standard for automating the exchange of user identity information between identity domains or IT systems.
If you’re new to SCIM, here are a few examples of how it can be helpful and how your IdP (Identity Provider, such as Okta, OneLogin, GSuite, etc.) can interact with your Vimeo account:
Push Users: When an employee joins your organization, they will automatically have a Vimeo account created with respective group membership information and personalized content.
Deactivate Users: When an employee leaves your organization, their account is automatically deactivated to ensure they don’t have access to your Vimeo account, and they’re not taking any of the seats you’re paying for.
Update User Attributes: When an employee changes their name or email address, their respective Vimeo account will get updated immediately. Also, When you’ve reassigned an employee to a different department, and changed their group membership, their group membership is immediately updated on the Vimeo account, which updates what content they can access on Vimeo.
Push Groups: New groups created through Okta will also be created in Vimeo.
Import Users: New users created in Vimeo can be downloaded in the Import tab of the App and turned into new AppUser objects, for matching against existing Okta users.
Import Groups: New groups created in Vimeo can be downloaded in the Import tab of the App and turned into new AppUser objects, for matching against existing Okta groups.
In general, if you need to manage thousands of accounts, SCIM is the most practical way to do this.
This guide will walk through how to set up a SCIM connection with Vimeo for your organization; we will use Okta as an example IdP (Identity Provider) but steps on other providers (OneLogin, GSuite, Azure, etc.) should be similar.
If you’re an existing Vimeo Enterprise customer and don’t have SCIM, please contact your Account Manager for more information. If you are not a Vimeo Enterprise customer yet and are interested in SCIM, please contact us.
In this article:
- Get an API Token from Vimeo
- Configuring SCIM on your IdP
- Provisioning users from the IdP to Vimeo
- Support attributes (mapping)
In order to use SCIM with your Vimeo account:
- Your Vimeo account should have an Enterprise membership and have SSO enabled.
- SSO should be configured and enabled on the IdP side.
- IdP must support SCIM version 2; Vimeo does not support SCIM version 1.
Get an API Token from Vimeo
You will need to get an API token from Vimeo to get started. You must log in to the owner account in order to do this; team members cannot access API.
- Open https://developer.vimeo.com
- Select Get started or New app.
- Fill out the form, then select Create App.
- Note: For the question asking if other users besides will access your app, select No.
- Scroll down to the Generate an access token section.
- Select Authenticated (you).
- Select Private, then Scim scopes
- Click Generate.
- Copy/save the newly generated token somewhere, such as a note-taking application. Do not skip this step; you will need it later.
Configuring SCIM on your IdP
Note: We demonstrate Okta as an example here, but the steps for other providers should be similar.
- Go to your existing SAML application that is used for Vimeo.
- In the General tab, edit App settings.
- Change Provisioning from None to SCIM.
- There should now be a Provisioning area or tab in the application:
- Go to the Provisioning tab, then Settings, then Integration. Select Edit.
- Enter the SCIM connector base URL using this URL format: https://api.vimeo.com/scim/v2/12345678, where 12345678 is the Vimeo team owner’s User ID; you can find it in the upper left corner of the Vimeo Account Settings page.
- In the “Unique identifier field for users” field, enter userName
- Enable all supported provisioning actions that are listed here.
- In the “Authentication Mode” menu, select HTTP Header.
- For “Authorization,” paste the generated API token from Vimeo.
- Click Save.
- Next, go to the Provisioning tab -> Settings -> To App
- Enable “Create users”, “Update user attributes”, “Deactivate users”.
- Note: If you are using a different IdP such as Azure, see the Supported attributes section below.
- Select Save.
Provisioning users from the IdP to Vimeo
The initial step to start provisioning in Okta is assigning users to the SAML application. If you just created a SAML application to set up SSO and SCIM, you can assign users and they will be provisioned automatically.
If you already have a SAML application with assigned users, they won’t be provisioned once the provision is enabled. You have two options in Okta:
- You can unassign and assign users again, or
- You can contact Okta support and ask to enable a feature called “Provision out of sync users” which would add a "Provision now" button next to each user that is not provisioned after provisioning is enabled.
After you’ve initiated provisioning, you can see on your team settings page that team members have been added to your Vimeo account.
You can now also push Groups from your IdP into Vimeo if you need:
Troubleshooting: Processing failed SCIM attempts
There are cases where users can’t be migrated via SCIM, such as:
- A user with the same email address already exists on Vimeo and is not on this Enterprise team
- Your account reached its seat cap
- Connection errors
In these cases, you can go to your team settings page and download a list of failed migrations where you see the error message.
In most cases, to address them, it’s best to contact your Account Manager: some of them can be handled by migrating Vimeo users to your Enterprise account, others by purchasing additional seats.
When you change a user's information in your IdP, be sure to keep the Username and Email identical.
Support attributes (mapping)
We do not support all SCIM out-of-the-box user attributes. For example, Azure’s default attributes set is bigger than Okta’s and should be reduced.
Currently Vimeo supports these user attributes:
- schemas (readonly, required by SCIM specification)
- id (readonly, required by SCIM specification)
- userName (mutable, requires same value for email)
- Name (mutable)
- name.formatted (same as givenName+familyName)
- displayName (same as givenName+familyName)
- Active (mutable)
- emails (only type=work and primary=true) (mutable)
- profileUrl (readonly)
- locale (mutable)
- groups (readonly, mutable from /Groups endpoint)
- meta (readonly)