SSO and provisioning are processes that can help you manage employee data at Millie. If you are a company admin, this document will help you decide whether you need these extra features, and explain how to use them.

First, let's recap Millie's base functionality, which we will call manual employee management. Anyone can join Millie and use it to send gifts or make donations, but only your employees should have access to your company's matching program, volunteer sign-ups, and so on. That's why you need an up-to-date employee list in the Millie Employees page:

When managing employees manually, you must create, edit, and eventually deactivate every employee record by interacting with this page:

This manual process works well if you don't have too many employees, but larger companies will want to automate these tasks. SSO or Single sign-on simplifies the login process for the employee, and saves you time by causing Millie employee records to be created automatically when an employee logs in for the first time. That last bit is called JIT or Just-In-Time provisioning. Though its name includes the word 'provisioning', this feature is built into SSO; it is not part of the SCIM provisioning we are going to talk about later. Millie implements SSO with a technology called SAML; sometimes you will see SAML used as a synonym for SSO.

SSO relies on a centralized repository of employee data called an identity provider or IdP. Okta and Azure are two such providers, and there many others. These are paid services, external to Millie, but your company may already have one.

If your company does have an IdP, your HR or IT staff are already using it to create and update employee data during your onboarding and offboarding processes; you just need to share a portion of that data with Millie. That is done by adding a Millie app integration to the IdP. Your IT staff will handle this; detailed integration guides are listed here.

When Millie is integrated into your IdP, your employees will have two ways to access the Millie app: through an SP-initiated login, or an IdP-initiated login.

SP stands for service provider, which is the business or app that is asking your employee to prove their identity. Millie is the SP in this context. In an SP-initiated login, the login process starts at Millie:

When the IdP returns an employee to Millie after an SSO login, it sends their email address plus their first and last name to the Millie app. If Millie does not recognize the address, it automatically creates a new employee record before letting them in. This is the JIT provisioning we mentioned earlier. If Millie does recognize the address, it will update the employee's name, if that data changed on the IdP side.

Instead of beginning with a visit to the Millie app, IdP-initiated logins start at the IdP:

As before, Millie also creates or updates the employee record when the IdP sends the logged-in employee to the Millie app.

In both SP- and IdP-initiated logins:

By the way, you might have a few employees who cannot use SSO for some reason. If so, you can still create and manage their employee records manually, and they can login with Millie-specific passwords, even while your other employees use SSO.

To enable SSO, direct your IT staff to Millie's SAML setup guides.

JIT provisioning automates some of your employee management tasks, but again: it does not deactivate employees in Millie, even when these are deactivated in the IdP. To automate deactivation, your company must enable SCIM provisioning. Rather than waiting for an employee to login (as SSO does) this process updates Millie employee records as soon as the data is created or changed in the IdP. This means all your employees appear in the Millie Employees page in one large batch, rather than a few at a time, as they login. It also means that inactive employees will be excluded from your company's programs, immediately and automatically, as your HR or IT staff deactivates them in the IdP. SCIM is a specific provisioning technology, but sometimes you will see it used as a general synonym for this type of provisioning.

IdPs like Okta and Azure use the same employee data to implement both SSO and provisioning, so enabling SCIM incurs no additional upkeep on your side. At Millie, you do not have to enable SCIM to use SSO, but you must enable SSO to use SCIM, and you must use the same IdP for both.

Your IT staff enables SCIM provisioning by extending the same IdP app integration you used to enable SSO. Detailed integration guides are listed here.

Because employees are provisioned in bulk, and deactivated automatically:

If you need to, you can continue to create and manage some employee records manually (as long as their e-mail addresses do not use the same domain as your SSO employees — see below) even while other employees use SSO and SCIM. You can also create and manage manually for a time, and then switch to SCIM at a later date. Also, you are never locked-in to SSO or SCIM; you can use them for a time and then disable them, managing employees manually thereafter.

Millie uses the employee email address to identify each person uniquely. If you create an employee manually, you will be able to edit that employee manually until Millie receives SCIM provisioning data from your IdP that matches that employee's email address. Once that happens, the employee is said to be SCIM-linked. When SCIM is enabled, the SCIM-link status of each record is displayed in a SCIM column within the Employees page:

SCIM-linked employees cannot be activated or deactivated manually, neither can their name data be changed manually; instead, you are expected to make those changes in the IdP. This ensures that Millie stays in sync with your IdP data. If you use SCIM, most or all of your employee records will probably be SCIM-linked. If you disable it later, you will regain the ability to manage those records manually.

Whether linked or not:

To enable SCIM, direct your IT staff to Millie's SCIM setup guides.