Docs/SCIM provisioning

Auth0

~5 minutes

Auth0 does not push SCIM to downstream applications — its SCIM 2.0 support is inbound only (a way for an upstream IdP to provision users *into* Auth0). Pick one of the options below depending on where your user directory actually lives.

Auth0 has no outbound SCIM provisioning. The settings below are the workable alternatives — not a hidden feature.

Before you start

SSO already configured against Auth0 (see the Auth0 SSO guide).
A clear answer to "which system is the source of truth for our users?" — that's where SCIM should run from.

Steps

1
Use just-in-time provisioning (default)
With SSO alone, Wando creates the member record the first time a user signs in via Auth0. No SCIM token, no group mappings, no scheduled push — the user simply exists in Wando after their first sign-in. Roles default to "member"; an org admin promotes manually. This is the right choice if Auth0 is your primary directory.
2
If users come from Okta or Entra via Auth0 — run SCIM from the upstream IdP instead
When Auth0 is just an OIDC hop in front of Okta or Microsoft Entra, configure SCIM directly from that upstream IdP into Wando. Sign-in still flows through Auth0; provisioning bypasses it. See the Okta or Microsoft Entra ID SCIM guides.
3
Custom Auth0 Action (advanced)
If Auth0 is your only directory and you really need pushed provisioning, write a Post-Login Action that calls Wando's SCIM endpoint with a bearer token. The Action runs on each login and can POST/PATCH `/api/auth/scim/v2/Users`. This is unsupported territory — happy to consult on the script if you want to take this route.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

No SCIM configuration is needed for the just-in-time path — members appear automatically the first time they sign in. If you take option 2 (upstream IdP) or option 3 (custom Action), follow that guide instead and your Wando contact will issue the SCIM token there.

Docs/SCIM provisioning

Auth0

~5 minutes

Auth0 has no outbound SCIM provisioning. The settings below are the workable alternatives — not a hidden feature.

Before you start

SSO already configured against Auth0 (see the Auth0 SSO guide).
A clear answer to "which system is the source of truth for our users?" — that's where SCIM should run from.

Steps

1
Use just-in-time provisioning (default)
With SSO alone, Wando creates the member record the first time a user signs in via Auth0. No SCIM token, no group mappings, no scheduled push — the user simply exists in Wando after their first sign-in. Roles default to "member"; an org admin promotes manually. This is the right choice if Auth0 is your primary directory.
2
If users come from Okta or Entra via Auth0 — run SCIM from the upstream IdP instead
When Auth0 is just an OIDC hop in front of Okta or Microsoft Entra, configure SCIM directly from that upstream IdP into Wando. Sign-in still flows through Auth0; provisioning bypasses it. See the Okta or Microsoft Entra ID SCIM guides.
3
Custom Auth0 Action (advanced)
If Auth0 is your only directory and you really need pushed provisioning, write a Post-Login Action that calls Wando's SCIM endpoint with a bearer token. The Action runs on each login and can POST/PATCH `/api/auth/scim/v2/Users`. This is unsupported territory — happy to consult on the script if you want to take this route.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Before you start

Steps

Use just-in-time provisioning (default)

If users come from Okta or Entra via Auth0 — run SCIM from the upstream IdP instead

Custom Auth0 Action (advanced)

Hand off to Wando

Before you start

Steps

Use just-in-time provisioning (default)

If users come from Okta or Entra via Auth0 — run SCIM from the upstream IdP instead

Custom Auth0 Action (advanced)

Hand off to Wando