zulip/docs/production/scim.md

68 lines
2.5 KiB
Markdown

# SCIM provisioning
Zulip has beta support for user provisioning and deprovisioning via
the SCIM protocol. In SCIM, a third-party SCIM Identity Provider (IdP)
acts as the SCIM client, connecting to the service provider (your Zulip
server).
See the [SCIM help center page](https://zulip.com/help/scim) for
documentation on SCIM in [Zulip Cloud](https://zulip.com) as well as
detailed documentation for how to configure some SCIM IdP providers.
Synchronizing groups via SCIM is currently not supported.
## Server configuration
The Zulip server-side configuration is straightforward:
1. Pick a client name for your SCIM client. This name is internal to
your Zulip configuration, so the name of your IdP provider is a
good choice. We'll use `okta` in the examples below.
1. First a SCIM client entry needs to be added to the database. Run
`manage.py add_scim_client <client name> -r <subdomain>`. For
example, if your organization is hosted on a subdomain
(`subdomain.zulip.example.com`):
```bash
/home/zulip/deployments/current/manage.py add_scim_client okta -r 'subdomain'
```
Or your organization is hosted on the root domain (`zulip.example.com`):
```bash
/home/zulip/deployments/current/manage.py add_scim_client okta -r ""
```
See the [management command documentation](./management-commands.md)
for details on how to run management commands.
1. Configure the Zulip server by adding a `SCIM_CONFIG` block to your
`/etc/zulip/settings.py`:
```python
SCIM_CONFIG = {
"subdomain": {
"bearer_token": "<secret token>",
"scim_client_name": "okta",
"name_formatted_included": False,
}
}
```
The `bearer_token` should contain a secure, secret token that you
generate. You can use any secure password generation tools for this,
such as the `apg` command included by default in some Linux distributions.
For example, `apg -m20` will generate some passwords of minimum length 20
for you.
The SCIM IdP will authenticate its requests to your Zulip server by
sending a `WWW-Authenticate` header like this:
`WWW-Authenticate: Bearer <secret token>`. `name_formatted_included` needs to be set
to `False` for Okta. It tells Zulip whether the IdP includes
`name.formatted` in its `User` representation.
1. Now you can proceed to [configuring your SCIM IdP](https://zulip.com/help/scim).
Use the value `Bearer <secret token>` using the `bearer_token` you've generated
earlier as the `API token` that the SCIM IdP will ask for when configuring
authentication details.