mirror of https://github.com/zulip/zulip.git
68 lines
2.5 KiB
Markdown
68 lines
2.5 KiB
Markdown
# SCIM provisioning
|
|
|
|
Zulip has beta support for user provisioning and deprovisioning via
|
|
the SCIM protocol. In SCIM, a third-party SCIM Identity Provider (IdP)
|
|
acts as the SCIM client, connecting to the service provider (your Zulip
|
|
server).
|
|
|
|
See the [SCIM help center page](https://zulip.com/help/scim) for
|
|
documentation on SCIM in [Zulip Cloud](https://zulip.com) as well as
|
|
detailed documentation for how to configure some SCIM IdP providers.
|
|
|
|
Synchronizing groups via SCIM is currently not supported.
|
|
|
|
## Server configuration
|
|
|
|
The Zulip server-side configuration is straightforward:
|
|
|
|
1. Pick a client name for your SCIM client. This name is internal to
|
|
your Zulip configuration, so the name of your IdP provider is a
|
|
good choice. We'll use `okta` in the examples below.
|
|
1. First a SCIM client entry needs to be added to the database. Run
|
|
`manage.py add_scim_client <client name> -r <subdomain>`. For
|
|
example, if your organization is hosted on a subdomain
|
|
(`subdomain.zulip.example.com`):
|
|
|
|
```
|
|
/home/zulip/deployments/current/manage.py add_scim_client okta -r 'subdomain'
|
|
```
|
|
|
|
Or your organization is hosted on the root domain (`zulip.example.com`):
|
|
|
|
```
|
|
/home/zulip/deployments/current/manage.py add_scim_client okta -r ""
|
|
```
|
|
|
|
See the [management command documentation](./management-commands.md)
|
|
for details on how to run management commands.
|
|
|
|
1. Configure the Zulip server by adding a `SCIM_CONFIG` block to your
|
|
`/etc/zulip/settings.py`:
|
|
|
|
```
|
|
SCIM_CONFIG = {
|
|
"subdomain": {
|
|
"bearer_token": "<secret token>",
|
|
"scim_client_name": "okta",
|
|
"name_formatted_included": False,
|
|
}
|
|
}
|
|
```
|
|
|
|
The `bearer_token` should contain a secure, secret token that you
|
|
generate. You can use any secure password generation tools for this,
|
|
such as the `apg` command included by default in some Linux distributions.
|
|
For example, `apg -m20` will generate some passwords of minimum length 20
|
|
for you.
|
|
|
|
The SCIM IdP will authenticate its requests to your Zulip server by
|
|
sending a `WWW-Authenticate` header like this:
|
|
`WWW-Authenticate: Bearer <secret token>`. `name_formatted_included` needs to be set
|
|
to `False` for Okta. It tells Zulip whether the IdP includes
|
|
`name.formatted` in its `User` representation.
|
|
|
|
1. Now you can proceed to [configuring your SCIM IdP](https://zulip.com/help/scim).
|
|
Use the value `Bearer <secret token>` using the `bearer_token` you've generated
|
|
earlier as the `API token` that the SCIM IdP will ask for when configuring
|
|
authentication details.
|