Manage Users with SCIM Provisioning
Published 06 June 2024
This feature is in early access
Access to this feature is limited to a small number of customers while we continue to develop Automatic License Provisioning. Contact us if you're interested in joining the early access program (EAP).
SCIM automatically syncs users and groups from your identity provider with Redgate, supporting automation of license management in the Portal.
Once enabled:
- The names and emails of users selected during the set up process will be synced.
- The names and members of groups selected during set up will also be synced.
- Future changes to these users and groups will be pushed to Redgate.
- Synchronized users and groups will be visible in the Portal.
- License automation through provisioning rules will be enabled in the Portal.
For more information about the SCIM protocol, see https://scim.cloud/.
Prerequisites
- Customers who have configured SSO can use this service. If you have not done so already, instructions for how to set up SSO for your identity provider are provided here.
- The service is compatible with most of the SCIM protocol and has been tested against Microsoft Entra ID. Other identity providers should work.
- You will need to be sufficiently privileged to configure SCIM in your identity provider, as well as be able to add a TXT record to your domain's DNS entry to prove ownership. If you do not, please refer this documentation to a colleague who does.
- The IDs for users must be stable and consistent between your SSO and SCIM configuration. i.e. the OIDC sub claim value returned via SSO for a user must match the externalId attribute value SCIM provides for them.
How to set up SCIM
If you are using Microsoft Entra ID, see Configuring SCIM with Microsoft Entra ID for a detailed walkthrough with screenshots.
To generate a token for SCIM:
- Navigate to https://ssoadmin.red-gate.com/settings.
- Press the Setup SCIM button and then press Continue to get past the initial screen.
- Enter a name for the token and press Generate Token.
- Copy out the Tenant URL and Secret Token. The secret token should be considered sensitive and should be revoked if leaked.
Revoking a SCIM Token
The tokens generated in step 2 are sensitive and should be revoked if leaked. There are two ways to revoke these tokens. Note that revoking a token still in use by your IdP will interrupt SCIM syncing, although will not affect already-synced users and groups.
Revoking a known token
If you know the value of a token, it can be revoked using https://ssoadmin.red-gate.com/userdirectory/tokens/revoke. This does not require any permissioning or DNS entry change, so is useful if you come across a token value that you shouldn't have access to.
Revoking tokens in your organization
Generated tokens are listed at https://ssoadmin.red-gate.com/userdirectory/tokens and can be revoked from this page.