# Ping Identity

> Learn how to set up automated SCIM user provisioning with Ping Identity for your Sketch Workspace, including user attributes, groups, and provisioning rules.

**URL:** https://www.sketch.com/docs/getting-started/single-sign-on/scim-provisioning/ping-identity/ | **Last updated:** 2026-04-01

---
This guide walks you through setting up SCIM provisioning with [Ping Identity](https://www.pingidentity.com/) for your Sketch Workspace. You’ll need SAML SSO configured before you begin — if you haven’t done that yet, follow the [Ping Identity SSO setup guide](/docs/getting-started/single-sign-on/setting-up-saml-sso/setup-identity-provider/ping-identity-setup/) first.

> **Note:** If you need help along the way, [contact us](/support/contact/?topic=enterprise&subject=other&summary=I%20need%20help%20setting%20up%20SSO%20or%20SCIM.%0A%0A---%0A%0AAdd%20any%20other%20details%20below%3A%0A) and we’ll help you out.

## 1. Create a custom user attribute

This step controls whether Sketch provisions users as Editors or Viewers. Make sure you’re in the same environment as your SAML app. You can verify this in the header breadcrumb.

1. Go to **Directory** > **User attributes**.
1. Click the blue **+** button, select **Declared**, and continue.
1. Enter `accessLevel` in the name field.
1. Enter **Access Level** as the display name.
1. Optionally, enter a description.
1. Select **Enumerated values** from the dropdown and add:
   - `editor`
   - `viewer`
1. Click **Save**.

![An image showing the custom user attribute form in PingOne with enumerated editor and viewer values](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-custom-attribute.png)

### Apply the attribute to users

Apply the Access Level attribute to the users who need access to Sketch.

1. Go to **Directory** > **Users**.
1. Select a user and click **Edit user**.
1. Scroll to the bottom and click **+Add** in the Custom attributes section.
1. Select the Access Level attribute and set the value to `editor` or `viewer`.

> **Note:** We’ll provision users without a custom attribute value as **Viewers**.

![An image showing the Edit User form in PingOne with a custom Access Level attribute applied](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-apply-attribute.png)

## 2. Create user groups

User groups control who has access to Sketch. You’ll assign these groups to your SAML app in the next step.

1. Go to **Directory** > **Groups**.
1. Click the blue **+** button.
1. Enter a descriptive name — for example, `Sketch-viewers` or `Sketch-editors`.
1. Add the required members to each group.

![An image showing the Groups page in PingOne with Sketch editor and viewer groups listed](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-create-groups.png)

### Assign groups to the SAML app

By default, all users in your directory can sign in to Sketch. Assigning groups lets you limit access to specific users.

1. Go to **Applications** > **Applications**.
1. Click the SAML app you configured for Sketch.
1. Go to the **Access** tab and click **Edit**.
1. Select your Editors and Viewers groups and save.

> **Note:** If you don’t assign any groups, all users in your directory can sign in to Sketch. We’ll add them as Viewers by default.

![An image showing the Access tab in PingOne with Sketch groups assigned to the SAML app](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-assign-groups.png)

## 3. Set up SCIM provisioning

Before you start, get the SCIM Base URL and token from your Sketch Workspace:

1. Open the web app and go to **Settings** > **[Single Sign-on](/workspace/settings/sso)**.
1. Click **Enable SCIM**.
1. Have the **SCIM Base URL** and **SCIM token** ready.

### Create a provisioning connection

1. Go to **Integrations** > **Provisioning**.
1. Click the blue **+** button and select **New Connection**.
1. Select **SSO Identity Store**.
1. Search for "scim" and select **SCIM outbound**.
1. Enter a name and an optional description.
1. Paste the **SCIM Base URL** from your Sketch Workspace.
1. Set **Authentication method** to **OAuth 2 Bearer Token** and paste the SCIM token.
1. Test the connection. If it’s successful, move on to configure connection preferences.

![An image showing the new SCIM outbound connection form in PingOne with the base URL and token fields](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-provisioning-connection.png)

### Configure connection preferences

1. Select a user identifier:
   - Choose **userName** if your users sign in with their email address.
   - Choose **workEmail** if they use a separate username.
1. Paste the following value in the **Custom Attribute Schema URN** field:

   ```
   urn:ietf:params:scim:schemas:extension:sketch:1.0:User
   ```

1. Enable the following options:
   - **Enable users creation**
   - **Enable users updation** (Ping Identity’s label for user updates, including **Enable users disable**)
   - **Enable users deprovision**
1. In **Remove Action**, select **Delete**.
1. Save, then enable the connection.

![An image showing the connection preferences form in PingOne with the custom schema URN and provisioning options enabled](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-connection-preferences.png)

## 4. Configure provisioning rules

Create two rules — one for Editors, one for Viewers. The Editors rule needs an extra attribute mapping in step 6. Skip that step for the Viewers rule.

1. Click the blue **+** button and select **New Rule**.
1. Select **PingOne as source**.
1. Select the connection you created and continue.
1. Name the rule — for example, `Sketch-editors` or `Sketch-viewers`.
1. Add a user filter:
   - Select `Group names` in the **Attribute** field.
   - Click the value field and select the group that matches the rule.

![An image showing the Edit User Filter dialog in PingOne with Group Names set to contain the Sketch viewers group](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-user-filter.png)

1. For the **Editors rule**, map the `accessLevel` attribute:
   - Click **+Add**.
   - Select `accessLevel` in the left column and `roles` in the right column.

![An image showing the attribute mapping for the Editors provisioning rule in PingOne](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-attribute-mapping.png)

1. Click **Save**.

## 5. Enable provisioning rules

Enable the provisioning rules for both Editors and Viewers. User syncing starts shortly after — give it a few minutes, then check your Sketch Workspace to confirm provisioning worked correctly.

![An image showing the enabled provisioning rules for Sketch in PingOne](https://cdn.sketch.com/docs/sso/ping-identity-scim-bg-enable-rules.png)

## Considerations

- If you reach your Editor seat limit, Ping Identity will still provision the user, but we’ll add them as a Viewer to avoid unwanted extra charges.
- If you disable a user, we’ll remove them from the Workspace. Any documents in their **My Drafts** folder will move to a restricted folder that Workspace Admins can access.