Set up SCIM user provisioning in Wispr Flow

Last updated: April 30, 2026

Available on: Web (admin console). Verification steps cover Mac, Windows, and iOS.

Connect your identity provider to Wispr Flow so users are created, updated, and removed automatically — no manual provisioning needed. Setup takes about 10 minutes.

Before you start

Confirm you have:

  • Org admin access in Wispr Flow, or the IT Admin role assigned by an org admin from the Team page.

  • An Enterprise plan. SSO settings (required to access SCIM provisioning) are Enterprise-only.

  • Admin access to your identity provider (Okta, Azure AD, OneLogin, or similar).

  • A complete admin profile in Flow. Your first name, last name, and email must be filled in — SSO/SCIM setup will not start without them.

Note: The IT Admin role grants access to team, billing, and SSO management but does not include dictation access, and IT Admin seats do not count toward your paid seat total. Org admins can assign it from the Team page — via the role dropdown for existing members or when inviting a new member.

Warning: Enabling SCIM disables manual user management in Flow. The Add new user button is hidden, join request Approve/Deny buttons are hidden, and invite, bulk invite, remove member, and revoke invitation operations are blocked. All user changes must go through your identity provider.

How to set up SCIM provisioning

  1. Open the Wispr Flow admin console and navigate to SSO settings.

  2. Access the WorkOS admin portal from the SSO settings page.

  3. Navigate to the Directory Sync section in the WorkOS admin portal.

  4. Configure your identity provider (Okta, Azure AD, OneLogin, etc.) and enable Directory Sync.

  5. Map the following attributes in your identity provider as directed by WorkOS:

    1. Primary email (required)

    2. First name

    3. Last name

    4. Group/team assignments (optional)

  6. Wait for directory sync to activate. Once active, Flow is ready to process provisioning events.

  7. Assign a small pilot group of test users to the Wispr Flow application in your identity provider.

  8. Verify the test users appear in Flow's admin console. If they do, assign the rest of your users or groups.

Note: When directory sync activates, Flow imports any domains from your WorkOS organization into the enterprise's allowed domain list. Existing users in your IdP are not backfilled — they are provisioned as your IdP sends individual creation events, which typically happens when you assign users to the application.

Note: If SCIM directory sync is deleted in WorkOS, manual user management in Flow is re-enabled automatically. Existing memberships are preserved — no users are removed when the directory connection is deleted. Deactivating (rather than deleting) the directory does not re-enable manual management.

How to verify your provisioned account

If your organization uses SCIM provisioning, confirm your account synced correctly. Steps differ by platform:

Mac and Windows

  1. Open the Wispr Flow app.

  2. Click Sign in via browser to open the authentication flow in your web browser.

  3. Choose your SSO sign-in method and enter your work email when prompted.

  4. Complete the SSO flow and return to the Flow app.

  5. Open your account or profile section, then confirm your name and email match your identity provider.

iOS

  1. Open the Wispr Flow app.

  2. Tap More options to reveal additional sign-in methods, then select Continue with SSO.

  3. Enter your work email and complete the SSO flow.

  4. Open your account or profile section, then confirm your name and email match your identity provider.

If anything looks out of sync, your IT admin should adjust SCIM mappings or assignments in the identity provider.

Troubleshooting

Directory sync is not activating

If your identity provider is configured but users are not being provisioned, verify that:

  • Directory sync is enabled and active in the WorkOS admin portal.

  • Your identity provider is correctly connected to WorkOS.

  • The WorkOS webhook is reachable from WorkOS to Flow.

Users are not being created in Flow

Check the following:

  • Automatic provisioning is enabled in the identity provider.

  • The app is assigned to users or groups.

  • The email or username field is mapped correctly.

  • The user's email domain matches one of the enterprise's registered domains in Flow.

User updates are not appearing in Flow

Attribute mappings may not include the fields you expect (such as first name or last name), or update provisioning may be disabled in the identity provider.

Deactivated users can still sign in

When users are removed via SCIM, their enterprise membership is removed but their Flow account is not deleted. If a removed user can still access enterprise resources, check whether:

  • The deprovisioning event was sent by the identity provider.

  • The user was unassigned from the app rather than deactivated in a way that triggers a SCIM delete event.

  • The WorkOS webhook reached Flow successfully.

  • SSO enforcement is enabled — if not, users may still sign in via other methods even after SCIM removal.

Duplicate user accounts

Users may have been created manually in Flow before SCIM was turned on, or the identity provider may be sending a different email or username than the one already used in Flow.

Users receive email invitations instead of being provisioned automatically

If SCIM provisioning hits a transient error (such as a database issue), Flow falls back to sending an email invitation. The user can still join by clicking the link. This fallback does not apply when the enterprise seat cap is reached — in that case, no invitation is sent. If this happens repeatedly, contact support.

A user is not provisioned despite a matching email domain

The user may already belong to a different Wispr Flow enterprise. A user can only belong to one enterprise at a time, and must be removed from their current enterprise before being provisioned into yours.

Users are not provisioned despite correct configuration

If your identity provider shows the user was synced but they do not appear in Flow, your enterprise may have reached its seat cap. Check your seat count in Flow billing settings and increase it if needed.

FAQs

What happens when a user is removed from the identity provider?

Their enterprise membership is removed and their directory sync link is cleared. The user's Flow account and authentication record are not deleted. If they are later re-provisioned, their existing account is re-associated with the enterprise.

Can users sign up for Flow directly when SCIM is enabled?

No. Users on SCIM-managed domains cannot self-register — they must be provisioned by the identity provider. Direct sign-up attempts are blocked.

How do SCIM-provisioned users sign in?

SCIM-provisioned users sign in using whatever authentication methods your enterprise allows. If your enterprise also enforces SSO (a separate setting), users must sign in via SSO. SCIM provisioning alone does not enforce a specific sign-in method.

Why are some users not being provisioned?

The user's email domain must match one of the enterprise's registered domains in Flow. Users with non-matching domains are silently skipped.

What role are SCIM-provisioned users assigned?

All SCIM-provisioned users are assigned the Member role. Role mapping from the identity provider is not currently supported. Admins can change roles directly in Flow even when SCIM is enabled, including assigning the IT Admin role from the Team page.

What if a user already belongs to a different organization?

The user is silently skipped during SCIM provisioning. A user can only belong to one enterprise at a time.

What happens if a directory group is deleted in the identity provider?

All users in that group are removed from Flow, and any pending invitations for those users are revoked.

Does SCIM affect billing?

Yes. When users are provisioned via SCIM, Flow increases your seat count automatically to accommodate them, which may increase your billing. When users are removed, your seat count is not reduced automatically — seat reductions happen during billing reconciliation cycles. Contact support or adjust seats manually if needed. IT Admin role members do not count toward paid seats.

What happens if my enterprise has reached its seat cap?

SCIM provisioning is blocked when the seat cap is reached. The user is not added and no email invitation is sent as a fallback. Increase your seat count or remove existing users, then reassign the user in your identity provider.

Still need help?

Contact Wispr Flow support if:

  • You cannot find SCIM or provisioning settings but believe your plan should include them.

  • SCIM connection tests fail after confirming the URL, token, and network settings.

  • Users are created or removed unexpectedly without a change in your identity provider.

  • Users repeatedly receive email invitations instead of being provisioned automatically.

When you reach out, include your platform, identity provider, the affected user's email, and what you've already tried. To open a ticket: in the Flow desktop app, click Help in the sidebar, then Talk to support under Get in touch. On iOS, go to Menu → Talk to Support. On Android, open the navigation drawer and tap Report an issue or Share feedback.