How To - Setup SCIM Group Provisioning with Grammarly & OKTA

Aug 23, 2025

Why SCIM

Many organizations want to authenticate users and provide single sign-on (SSO). But authentication and SSO services are not possible without user provisioning. The user provisioning process creates the user account—including associated attributes and access rights—inside the application. In some cases, the application may have a dedicated, or “siloed”, identity store.

This case is particularly true for SaaS applications because of service level agreements (SLAs) and security requirements. In other cases, the application may leverage a generalized identity store ( an on-premises, LDAP-based directory). Regardless, a user account must be provisioned in the identity store before the user can access the application.

The provisioning of user access is highly valued, but the de-provisioning of access is often neglected. Slow de-provisioning can result in unnecessary licensing costs. Additionally, there is an increased risk of data breaches and unauthorized transactions because unauthorized users continue to have access.

SCIM - A Proxy Like Service But For Groups And Roles

For those who aren’t aware, a proxy or reverse proxy server often allows you to access a resource by acting as a man-in-the-middle. The proxy is configured so that an end user can’t tell they are not talking directly to the source.

One of SCIM's magic is that you can “proxy” groups, so a person in one of your Active Directory groups, OKTA groups, or Azure Groups can be converted into one of the roles in the SaaS application. This allows you to provision and deprovision user accounts just by adding and removing an account.

Enable SCIM in Grammarly first

You will need to reach out to your Grammarly rep to turn on SCIM. By default, it will not work unless you do this at least at the time of writing.

Grammarly SCIM Documentation

From the linked site above:

Example

Say you have three groups in Active Directory:

BU-OKTA-Grammarly-Admins
BU-OKTA-Grammarly-AccountManagers
BU-OKTA-Grammarly-StandardUsers

You want to link these groups to these roles in Grammarly:

ADMIN
ACCOUNT_MANAGER
INSTITUTION_USER

In order to use those groups with these roles, you will need to go into OKTA and go to this location:

Sign-on -> Settings -> SAML 2.0

In this area, you will need to create some attributes/attribute statements under SAML 2.0. The attribute name is called:

GrammarlyRole

The items you will need to enter for the attribute statement are:

isMemberOfGroupName("BU-OKTA-Grammarly-Admins") ? "ADMIN" : isMemberOfGroupName("BU-OKTA-Grammarly-AccountManagers") ? "ACCOUNT_MANAGER" : isMemberOfGroupName("BU-OKTA-Grammarly-StandardUsers") ? "INSTITUTION_USER" : ""

You will obviously need to change the group names on the left side to whatever names you chose in your environment. Here’s what it would look like in OKTA.

Screenshot of where in OKTA you will need to copy and paste the information:

Hope this helps anyone else who can’t figure out how to configure SCIM in Grammarly and OKTA.

NOTE - “Institution_User” is the name Grammarly uses on their backend to describe a “Standard user”. None of these options is documented anywhere on the Grammarly site. I wrote Grammarly, it would be a good idea to create a “how to” for this setup, which they thought would be a good idea. At the time of writing, they haven’t updated their pages or documentation.