Inviting your team
AxisSynapse offers three ways to onboard users: invite by email (works on day one, scales to a few hundred), SCIM directory sync (automates lifecycle from Microsoft Entra ID, Okta, etc.), and SSO just-in-time provisioning (creates the account on first sign-in). Most workspaces use a combination — email for the first few admins, SCIM for the long-tail employee base, JIT as the safety net.
TL;DR — Start with email invites for the first dozen. As the workspace grows past about fifty users, wire up SCIM so adds, role changes, and deactivations propagate from your directory automatically. Leave SSO JIT on as a backstop for users your directory hasn't synced yet.
Before you start
- You must be a Workspace admin to invite others or to wire up SCIM. Member-level users can't open the Members tab.
- For SCIM: your identity provider must be configured first — see SCIM provisioning.
- For SSO JIT: a SAML provider must be enabled — see Configure single sign-on.
The three onboarding paths
| Field | What it does | Accepted values / default |
|---|---|---|
| Invite by email | Send an individual invitation. Recipient clicks the link, picks a password (or uses SSO), lands in the workspace. | Best for: the first few admins, contractors, anyone outside your directory. |
| SCIM directory sync | Your directory pushes user lifecycle events to AxisSynapse — adds, role changes, deactivations. | Best for: every workspace > 50 users. Setup ~30 min one-time, then runs forever. |
| SSO just-in-time (JIT) | The account is created on first SSO sign-in using the email + name in the SAML assertion. | Best for: long-tail users not in any directory group; safety net behind SCIM. |
Invite by email
The quickest path for day-one onboarding.
Open Settings → Members
Click your workspace name in the top bar, pick Settings, then Members in the left sub-nav. The members list shows everyone currently in the workspace, the role each holds, and the date of last sign-in.
Click "Invite member"
A side drawer slides in with the invite form.
Enter the email + pick a role
Type the invitee's email. Pick Member (default) or Workspace admin from the role dropdown. Multi-line paste is supported for bulk invites — one email per line.
Optionally pre-assign module roles
The drawer's Module roles section lets you pre-grant module-specific roles (e.g. HCM Admin, EEO Investigator). Skip this if you'd rather assign module roles later.
Send the invite
Click Send invitation. The invitee receives an email with the workspace URL, the role they're being granted, and a sign-up link. The link is valid for 14 days.
Resending or revoking
A pending invite shows in the members list with a Pending badge. Click the row to resend, change the role before acceptance, or revoke entirely.
SCIM directory sync
Once your identity provider is wired up, your directory becomes the source of truth for user lifecycle.
Generate a SCIM bearer token
From Settings → Identity → SCIM, click Generate token. AxisSynapse shows the token once — copy it into your identity provider's SCIM configuration immediately.
Configure your IdP's SCIM connector
The exact path varies by provider; each preset on SCIM provisioning walks you through Microsoft Entra ID and Okta step-by-step.
Pick the groups to sync
Most IdPs let you scope the sync to specific groups. We recommend starting with a single pilot group, verifying the round trip, then opening up to the rest of the organization.
Verify the first sync
Provision one user from your IdP. Within seconds the user appears in Settings → Members with a SCIM badge. Provisioning events also appear in Security Console.
SSO just-in-time (JIT)
When a user signs in via SSO and doesn't already have an account in the workspace, AxisSynapse creates one using the email, first name, and last name from the SAML assertion. JIT is on by default for every SAML provider; you can toggle it off per provider if you prefer SCIM-only onboarding.
Open the SAML provider's settings
From Settings → Identity → Identity providers, click the provider name to open its detail panel.
Toggle "Just-in-time provisioning"
On (default): every successful SSO sign-in by an unknown email creates the account. Off: the user sees an "account not found" message and must be invited first.
Set the default role for JIT-provisioned accounts
Pick Member (default) or any other workspace-level role. JIT cannot grant Workspace admin — admin promotions require an explicit admin action.
Every field, explained
| Field | What it does | Accepted values / default |
|---|---|---|
| Email (invite) | Identifies the invitee and routes the invitation message. | Valid email address. Multi-line paste is supported for bulk invites. |
| Workspace role | Sets the workspace-level role granted on acceptance. | Member (default) or Workspace admin. Module roles are layered on top. |
| Module roles | Pre-grants role(s) on specific modules (e.g. HCM Admin). | Optional. Module roles can be assigned later from each module's settings. |
| Invite expiry | How long the invite link is valid. | 14 days. Resend from the member's row when it expires. |
| SCIM bearer token | Authenticates your identity provider's SCIM connector. | Shown ONCE on creation; store it in your IdP immediately. Revoke and regenerate if compromised. |
| JIT enabled | Whether unknown SSO sign-ins auto-create accounts. | Per-provider. On by default; turn off if SCIM is the sole onboarding path. |
| JIT default role | The workspace role granted to JIT-provisioned accounts. | Member by default. Cannot be Workspace admin. |
What appears in the audit log
ACCOUNT_SCIM_USER_CREATED/..._UPDATED/..._DEACTIVATED/..._REACTIVATED— emitted as your directory pushes lifecycle events. Each line carries the IdP'sexternalIdso you can trace the source.ACCOUNT_SAML_JIT_PROVISIONED— emitted on first SSO sign-in for an unknown email. Review this periodically to catch unexpected domains.TENANT_SCIM_TOKEN_CREATED/..._REVOKED— recorded whenever a SCIM token is issued or revoked. A_REVOKEDline with no matching_CREATEDafterward is a sign your IdP lost its credentials — re-generate and re-configure.
Email invites do not currently emit a dedicated audit code; the invitee's first sign-in records the standard sign-in line.
Common gotchas
- "My new hire isn't getting the invite." Check spam, then
confirm the email matches what's in your directory. AxisSynapse
sends from
notifications@axissynapse.com; allowlist the domain if your mail filter is aggressive. - "SCIM created a duplicate of an existing user." That happens
when the email in your directory differs from the one the user
registered with manually (e.g.
J.Smith@…vsjsmith@…). Resolve by merging the duplicate from Settings → Members. - "JIT created accounts from a partner domain I didn't intend." Per-provider JIT can be disabled, or the IdP itself should restrict the assertion to internal-only users. Adjust at the IdP rather than relying on AxisSynapse to filter.
- "My SCIM connector keeps failing with 401." The bearer token has been revoked or rotated. Generate a new one in AxisSynapse and update your IdP.
Troubleshooting
| Error code | What it means | Fix |
|---|---|---|
| INVITE_EMAIL_INVALID | The invitee's email doesn't parse. | Re-enter a valid email. |
| INVITE_EXPIRED | Invite older than 14 days. | Resend from Settings → Members. |
| SCIM_UNAUTHORIZED | The SCIM bearer token is missing or revoked. | Generate a new token in AxisSynapse, update the IdP. |
| SCIM_USER_CONFLICT | An incoming SCIM user has the same email as an existing local account. | Merge the duplicate from the members list. |
| JIT_DISABLED | A SAML sign-in arrived for an unknown user, but JIT is off. | Invite the user explicitly, or re-enable JIT. |
Related