Skip Navigation
Documentation Getting started Single Sign-On (SSO) & SCIM Setting up SCIM provisioning Ping Identity

Ping Identity

Last updated on 1 Apr 2026

3 min read

This guide walks you through setting up SCIM provisioning with Ping Identity for your Sketch Workspace. You’ll need SAML SSO configured before you begin — if you haven’t done that yet, follow the Ping Identity SSO setup guide first.

If you need help along the way, contact us and we’ll help you out.

1. Create a custom user attribute

This step controls whether Sketch provisions users as Editors or Viewers. Make sure you’re in the same environment as your SAML app. You can verify this in the header breadcrumb.

  1. Go to Directory > User attributes.
  2. Click the blue + button, select Declared, and continue.
  3. Enter accessLevel in the name field.
  4. Enter Access Level as the display name.
  5. Optionally, enter a description.
  6. Select Enumerated values from the dropdown and add:
    • editor
    • viewer
  7. Click Save.
An image showing the custom user attribute form in PingOne with enumerated editor and viewer values

Apply the attribute to users

Apply the Access Level attribute to the users who need access to Sketch.

  1. Go to Directory > Users.
  2. Select a user and click Edit user.
  3. Scroll to the bottom and click +Add in the Custom attributes section.
  4. Select the Access Level attribute and set the value to editor or viewer.

We’ll provision users without a custom attribute value as Viewers.

An image showing the Edit User form in PingOne with a custom Access Level attribute applied

2. Create user groups

User groups control who has access to Sketch. You’ll assign these groups to your SAML app in the next step.

  1. Go to Directory > Groups.
  2. Click the blue + button.
  3. Enter a descriptive name — for example, Sketch-viewers or Sketch-editors.
  4. Add the required members to each group.
An image showing the Groups page in PingOne with Sketch editor and viewer groups listed

Assign groups to the SAML app

By default, all users in your directory can sign in to Sketch. Assigning groups lets you limit access to specific users.

  1. Go to Applications > Applications.
  2. Click the SAML app you configured for Sketch.
  3. Go to the Access tab and click Edit.
  4. Select your Editors and Viewers groups and save.

If you don’t assign any groups, all users in your directory can sign in to Sketch. We’ll add them as Viewers by default.

An image showing the Access tab in PingOne with Sketch groups assigned to the SAML app

3. Set up SCIM provisioning

Before you start, get the SCIM Base URL and token from your Sketch Workspace:

  1. Open the web app and go to Settings > Single Sign-on.
  2. Click Enable SCIM.
  3. Have the SCIM Base URL and SCIM token ready.

Create a provisioning connection

  1. Go to Integrations > Provisioning.
  2. Click the blue + button and select New Connection.
  3. Select SSO Identity Store.
  4. Search for “scim” and select SCIM outbound.
  5. Enter a name and an optional description.
  6. Paste the SCIM Base URL from your Sketch Workspace.
  7. Set Authentication method to OAuth 2 Bearer Token and paste the SCIM token.
  8. Test the connection. If it’s successful, move on to configure connection preferences.
An image showing the new SCIM outbound connection form in PingOne with the base URL and token fields

Configure connection preferences

  1. Select a user identifier:
    • Choose userName if your users sign in with their email address.
    • Choose workEmail if they use a separate username.

  2. Paste the following value in the Custom Attribute Schema URN field:

    urn:ietf:params:scim:schemas:extension:sketch:1.0:User
  3. Enable the following options:
    • Enable users creation
    • Enable users updation (Ping Identity’s label for user updates, including Enable users disable)
    • Enable users deprovision
  4. In Remove Action, select Delete.
  5. Save, then enable the connection.
An image showing the connection preferences form in PingOne with the custom schema URN and provisioning options enabled

4. Configure provisioning rules

Create two rules — one for Editors, one for Viewers. The Editors rule needs an extra attribute mapping in step 6. Skip that step for the Viewers rule.

  1. Click the blue + button and select New Rule.
  2. Select PingOne as source.
  3. Select the connection you created and continue.
  4. Name the rule — for example, Sketch-editors or Sketch-viewers.
  5. Add a user filter:
    • Select Group names in the Attribute field.
    • Click the value field and select the group that matches the rule.
An image showing the Edit User Filter dialog in PingOne with Group Names set to contain the Sketch viewers group
  1. For the Editors rule, map the accessLevel attribute:
    • Click +Add.
    • Select accessLevel in the left column and roles in the right column.
An image showing the attribute mapping for the Editors provisioning rule in PingOne
  1. Click Save.

5. Enable provisioning rules

Enable the provisioning rules for both Editors and Viewers. User syncing starts shortly after — give it a few minutes, then check your Sketch Workspace to confirm provisioning worked correctly.

An image showing the enabled provisioning rules for Sketch in PingOne

Considerations

  • If you reach your Editor seat limit, Ping Identity will still provision the user, but we’ll add them as a Viewer to avoid unwanted extra charges.
  • If you disable a user, we’ll remove them from the Workspace. Any documents in their My Drafts folder will move to a restricted folder that Workspace Admins can access.