Directory sync (SCIM)

How to configure directory sync on your account to automate the management of users and their permissions from your identity management platform to Knock.
Enterprise plan feature. Directory sync is only available on our Enterprise plan.


Directory sync allows you to automatically provision users and manage their permissions in Knock by leveraging the identity provider your organization is using (e.g. Okta) as the single source for user and group information.

Once configured, it enables automated syncing of user identity information from identity providers to Knock using SCIM (System for Cross-domain Identity Management), an open standard for managing automated user and group provisioning.

Any users that are assigned in the Knock application in your identity provider will be created in Knock (or vice versa), with their roles and permissions automatically configured based on their group memberships (see the default group to role mapping for more details).

Directory sync configuration

To configure directory sync, please contact the Knock support team for the following information which you will need to provide to your identity provider:

  • An endpoint for an identity provider to make requests to.
  • A bearer Token to authenticate its endpoint requests.

Configure directory sync

Many of the common identity providers are supported. See below for detailed step-by-step guides for your identity provider:

Once user identity data from your identity provider starts syncing to Knock successfully, you will see the "connected" status for directory sync under Settings > General.

Group-to-role mapping

You can optionally supply a set of group-to-role mappings for your organization. For instance, you might want to always map the "Team Admins" group to the admin role within Knock. You must supply this mapping to the Knock support team to set on your account as there is currently no way to self-service this information.

In the case where you want to force a group to a particular role within your IDP, you can use the following group names to automatically allocate the roles to users in that group.

Group nameRole

How Knock assigns roles

If a user does not belong to any group, Knock will assign the support role to the user. If a user belongs to more than one of these groups, then Knock will assign the highest privileged role available to that user. See roles and permissions for more details.

Frequently asked questions