paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-24 08:33:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7.0-beta2-branch
zulip/help/scim.md
Lauryn Menard dedea23745 help-docs: Move help center documentation to top level directory. 
These files are not Jinja2 templates, so there's no reason that they needed
to be inside `templates/zerver`. Moving them to the top level reflects their
importance and also makes it feel nicer to work on editing the help center content, 
without it being unnecessary buried deep in the codebase.
2023-01-25 14:08:29 -08:00

91 lines
3.4 KiB
Markdown
Raw Permalink Blame History

# SCIM provisioning
{!admin-only.md!}
SCIM (System for Cross-domain Identity Management) is a standard
protocol used by Single Sign-On (SSO) services and identity providers
to provision/deprovision user accounts and groups. Zulip supports SCIM
integration, both in Zulip Cloud and for [self-hosted](/self-hosting/)
Zulip servers. This page describes how to configure SCIM provisioning
for Zulip.
Zulip's SCIM integration has the following limitations:
* Provisioning Groups is not yet implemented.
* While Zulip's SCIM integration is generic, it has has only been
fully tested and documented with Okta's SCIM provider, and it is
possible minor adjustments may be required. [Zulip
support](/help/contact-support) is happy to help customers configure
this integration with SCIM providers that do not yet have detailed
self-service documentation on this page.
!!! warn ""
Zulip Cloud customers who wish to use SCIM integration must upgrade to
the Zulip Cloud Plus plan. Contact
[support@zulip.com](mailto:support@zulip.com) for plan benefits and pricing.
## Configure SCIM
{start_tabs}
{tab|okta}
{!upgrade-to-plus-if-needed.md!}
1. Contact [support@zulip.com](mailto:support@zulip.com) to request the
**Bearer token** that Okta will use to authenticate to your SCIM API.
1. In your Okta Dashboard, go to **Applications**, and select
**Browse App Catalog**.
1. Search for **SCIM** and select **SCIM 2.0 Test App (Header Auth)**.
1. Click **Add** and choose your **Application label**. For example, you can
name it "Zulip SCIM".
1. Continue to **Sign-On Options**. Leave the **SAML** options as they are.
This type of Okta application doesn't actually support SAML authentication,
and you'll need to set up a separate Okta app to activate SAML for your Zulip
organization.
1. In **Credentials Details**, specify the following fields:
* **Application username format**: `Email`
* **Update application username on**: `Create and update`
1. In the **Provisioning** tab, click **Configure API Integration**, check the
**Enable API integration** checkbox, and specify the following fields:
* **Base URL**: `yourorganization.zulipchat.com/scim/v2`
* **API token**: `Bearer token` (given to you by Zulip support)
When you proceed to the next step, Okta will verify that these details are
correct by making a SCIM request to the Zulip server.
1. Enable the following **Provisioning to App** settings:
* **Create Users**
* **Update User Attributes**
* **Deactivate Users**
1. Remove all attributes in **Attribute Mappings**, _except_ for the following:
* **userName**
* **givenName**
* **familyName**
1. Now that the integration is ready to manage Zulip user accounts, **assign**
users to the SCIM app.
* When you assign a user, Okta will check if the account exists in your
Zulip organization. If it doesn't, the account will be created.
* Changes to the user's email or name in Okta will automatically cause the
Zulip account to be updated accordingly.
* Unassigning a user from the app will deactivate their Zulip account.
{end_tabs}
!!! tip ""
Once SCIM has been configured, consider also [configuring SAML](/help/saml-authentication).
## Related articles
* [SAML authentication](/help/saml-authentication)
* [Getting your organization started with Zulip](/help/getting-your-organization-started-with-zulip)
Reference in New Issue View Git Blame Copy Permalink