2.9 KiB
SCIM provisioning
SCIM (System for Cross-domain Identity Management) is an standard protocol used by Single Sign-On (SSO) services and identity providers to provision/deprovision user accounts and groups. Zulip's SCIM integration is currently beta and has a few limitations:
- Provisioning Groups is not yet implemented.
- It has only been fully tested and documented with Okta.
The instructions below explain how to configure SCIM in Okta for Zulip Cloud customers. Like SAML, feature is currently only available in Zulip Cloud with the Zulip Cloud Plus plan.
These instructions can also be used by self-hosters to setup the Okta side of SCIM for their deployment.
Configure SCIM with Okta
-
Before you begin, contact email support to receive the bearer token that Okta will use to authenticate to make its SCIM requests.
-
In your Okta Dashboard, go to
Applications
and chooseBrowse App Catalog
. -
Search for
SCIM
and selectSCIM 2.0 Test App (Header Auth)
. -
Click
Add
and choose yourApplication label
. For example, you can name itZulip SCIM
. -
Continue to
Sign-On Options
. Leave theSAML
options, as this type of Okta application doesn't actually supportSAML
authentication, and you'll need to set up a separate Okta app to activateSAML
for your Zulip organization. -
In
Credentials Details
, setApplication username format
toEmail
andUpdate application username on
toCreate and update
. -
The Okta app has been added. Navigate to the
Provisioning
tab. -
Click
Configure API Integration
and check theEnable API integration
box. Okta will ask you for theBase URL
andAPI token
. TheBase URL
should beyourorganization.zulipchat.com/scim/v2
and forAPI token
you'll set the value given to you by support. When you proceed to the next step, Okta will verify that these details are correct by making a SCIM request to the Zulip server. -
In the
To App
section of theProvisioning
tab (which should be opened by default when you continue from the previous step), edit theProvisioning to App
settings to enableCreate Users
,Update User Attributes
andDeactivate Users
. -
In
Attribute Mappings
, remove all attributes exceptuserName
,givenName
andfamilyName
. -
Now the integration should be ready and you can
Assign
users to the app to configure their Zulip accounts to be managed by SCIM. When you assign a user, Okta will check if the account exists in your Zulip organization and if it doesn't, the account will be created. Changes to the user's email or name in Okta will automatically cause the Zulip account to be updated accordingly. Unassigning a user from the app will deactivate their Zulip account.
If you want to also set up SAML authentication, head to our SAML configuration instructions. It will require adding a separate Okta application.