Set up SCIM user provisioning in Wispr Flow

Last updated: June 5, 2026

Available on: Web admin console for setup. Sign-in verification on Mac, Windows, and iOS.

Connect your identity provider to Wispr Flow so users are created, updated, and removed automatically — no manual provisioning. Setup takes about 10 minutes and applies to your whole organization.

Before you start

Confirm you have:

  • Org admin access in Wispr Flow, or the IT Admin role assigned by an org admin from the Team page.

  • An Enterprise plan. SSO settings — required to access SCIM — are Enterprise-only.

  • Admin access to your identity provider (Okta, Azure AD, OneLogin, or similar).

  • A complete admin profile in Flow. Your first name, last name, and email must all be filled in — SSO and SCIM setup will not start without them.

Note: The IT Admin role grants access to team, billing, and SSO management without using a paid dictation seat. IT Admin users cannot dictate with the Wispr Flow desktop app — they will see a sign-in screen offering only Sign Out or Open Admin Portal.

Warning: Enabling SCIM disables manual user management in Flow. Add user, Approve/Deny, invite, bulk invite, remove member, and revoke invitation actions are all blocked. All user changes must go through your identity provider.

How to set up SCIM provisioning

  1. Open the Wispr Flow admin console and go to SSO settings.

  2. Launch the admin portal from the SSO settings page.

  3. Navigate to the Directory Sync section in the admin portal.

  4. Select your identity provider (Okta, Azure AD, OneLogin, or similar) and enable Directory Sync.

  5. Map the following attributes as directed by the admin portal:

    1. Primary email (required)

    2. First name

    3. Last name

    4. Group or team assignments (optional)

  6. Wait for directory sync to activate. Once active, Flow is ready to process provisioning events.

  7. Assign a small pilot group of test users to the Wispr Flow application in your identity provider. They should appear in Flow's admin console within a few minutes — confirm they are listed before assigning the rest of your users.

Note: When directory sync activates, Flow imports any domains from your identity provider organization into the enterprise's allowed domain list. Existing users in your IdP are not backfilled — they are only provisioned as your IdP sends individual creation events, which usually happens when you assign users to the application.

Warning: Only fully deleting the directory sync in the admin portal will re-enable manual user management in Flow. Deactivating or pausing the connection has no effect. When the connection is deleted, existing memberships are preserved — no users are removed.

How to verify your provisioned account

Once your IT admin has set up SCIM, confirm your account synced correctly. Steps differ by platform.

Mac and Windows

  1. Open the Wispr Flow app.

  2. Click Sign in via browser to open authentication in your web browser.

  3. Choose your SSO sign-in method and enter your work email when prompted.

  4. Complete the SSO flow and return to the Flow app.

  5. Open your account or profile section and confirm your name and email match your identity provider. If they do, you're done.

iOS

  1. Open the Wispr Flow app.

  2. Tap More options, then select Continue with SSO.

  3. Enter your work email and complete the SSO flow.

  4. Open your account or profile section and confirm your name and email match your identity provider. If they do, you're done.

Note: If your name or email is out of sync, ask your IT admin to adjust SCIM mappings or your assignment in the identity provider.

Troubleshooting

Directory sync is not activating

If your identity provider is configured but users are not being provisioned, verify that:

  • Directory sync is enabled and active in the admin portal.

  • Your identity provider is correctly connected to the admin portal.

  • Your identity provider can reach Flow (no network or firewall blocks).

Users are not being created in Flow

Check that:

  • Automatic provisioning is enabled in the identity provider.

  • The app is assigned to the user or their group.

  • The email or username field is mapped correctly.

  • The user's email domain exactly matches a registered domain. A user at mail.example.com will not be provisioned if only example.com is registered — add the specific subdomain to your enterprise domains.

  • Your enterprise has not reached its seat cap. When the cap is reached, provisioning is blocked and no email invitation is sent. Increase your seat count or remove existing users, then reassign the user in your identity provider.

  • The user does not already belong to a different Wispr Flow enterprise. A user can only belong to one enterprise at a time and must be removed from their current one first.

User updates are not appearing in Flow

Check that:

  • Update provisioning is enabled in your identity provider (not just create and delete).

  • Attribute mappings include the fields you expect to update, such as first name and last name.

  • The user is still assigned to the app in your identity provider.

Deactivated users can still sign in

When users are removed via SCIM, their enterprise membership is removed but their Flow account is not deleted. If a removed user can still access enterprise resources, check that:

  • The deprovisioning event was sent by the identity provider.

  • The user was unassigned from the app (not just deactivated in a way that does not trigger a SCIM delete event).

  • Your identity provider reached Flow successfully.

  • SSO enforcement is enabled. Without it, users may still sign in via other methods after SCIM removal.

  • Your Enterprise subscription is active. SSO enforcement lapses if your subscription is past due or cancelled, even with enforcement turned on. Verify subscription status with billing.

Duplicate user accounts

Duplicates usually mean one of the following:

  • The user was created manually in Flow before SCIM was turned on.

  • The identity provider is sending a different email or username than the one already used in Flow.

  • The user signed up directly with a personal variant of their email before being provisioned.

Users receive email invitations instead of automatic provisioning

If SCIM provisioning hits a transient error, Flow falls back to sending an email invitation. The user can still join by clicking the link. This fallback does not apply when the enterprise seat cap is reached — in that case, no invitation is sent. If this happens repeatedly, contact support.

A user on iOS sees "Sign-in not allowed" and is signed out

This screen appears when a user tries to sign in from a network or location that your organization's IP allowlist does not permit. Flow automatically signs the user out and displays an explanation.

The user has two options on that screen:

  • Retry: connect to an approved network (such as your corporate VPN or office Wi-Fi), then tap Retry to attempt signing in again.

  • Sign Out: dismiss the blocked screen without signing in.

If users on approved networks are still seeing this screen, verify that their device's current IP address falls within your organization's configured allowlist ranges. This behavior is consistent with how the Mac and Windows apps handle IP allowlist restrictions.

FAQs

What happens when a user is removed from the identity provider?

Their enterprise membership is removed and their directory sync link is cleared. Their Flow account is not deleted. If they are later re-provisioned, the existing account is re-associated with the enterprise.

Can users sign up for Flow directly when SCIM is enabled?

No. Users on SCIM-managed domains cannot self-register — they must be provisioned by the identity provider. Direct sign-up attempts are blocked.

How do SCIM-provisioned users sign in?

They sign in using whatever authentication methods your enterprise allows. If your enterprise also enforces SSO (a separate setting), users must sign in via SSO. SCIM provisioning alone does not enforce a specific sign-in method.

What role are SCIM-provisioned users assigned?

All SCIM-provisioned users are assigned the Member role. Role mapping from the identity provider is not currently supported, but admins can change roles directly in Flow. The IT Admin role is assigned through the Admin Portal only — it is not available in the desktop invite dialog.

Why does the welcome notification say "Your teammate" instead of a name?

"Your teammate" appears in the secondary billing notification when no inviter name is available. SCIM-provisioned users see this because the SCIM flow does not pass an inviter name. The primary welcome notification ("You are now a part of the team") is unaffected.

What happens if a directory group is deleted in the identity provider?

All users in that group are removed from Flow, and any pending invitations for those users are revoked.

Does SCIM affect billing?

Yes. Your seat count increases automatically as users are provisioned, which may increase your bill. Seat counts are not reduced immediately when users are removed — reductions happen during billing reconciliation cycles. Contact support to adjust seats manually if needed. IT Admin role members do not count toward paid seats.

Does the IP allowlist apply to iOS users?

Yes. iOS enforces the same IP allowlist restrictions as Mac and Windows. If a user signs in from a network not on your organization's approved list, they are signed out automatically and shown a "Sign-in not allowed" screen until they connect from an approved network.

Limitations and notes

  • SCIM provisioning is available on the Enterprise plan only.

  • Role mapping from the identity provider is not supported — all provisioned users start as Member.

  • A user can only belong to one Wispr Flow enterprise at a time.

  • Existing users in your IdP are not backfilled — users are provisioned only when your IdP sends individual creation events.

  • Seat counts increase automatically when users are provisioned. Reductions happen during billing reconciliation cycles, not immediately on removal.

  • Admins cannot demote themselves to Member — another admin must make that change.

  • While SCIM is enabled, manual user management is blocked in Flow. All adds and removes must go through your identity provider.

  • IP allowlist enforcement applies on Mac, Windows, and iOS. Users who sign in from a network not on the allowlist are signed out automatically and must connect from an approved network.

Still need help?

Contact Wispr Flow support if:

  • You cannot find SCIM settings but believe your plan should include them.

  • Users are created or removed in Flow without a matching change in your identity provider.

  • Users repeatedly receive email invitations instead of being provisioned automatically.

  • You've worked through the Troubleshooting section and the issue persists.

When you reach out, include your platform, identity provider, the affected user's email, and what you've already tried. To open a ticket, click Help in the Flow desktop sidebar and select Talk to support. On iOS, go to Menu → Talk to Support. On Android, open the navigation drawer and tap Report an issue.