Authentication

Manage Users with SCIM Provisioning

Page last updated 26 September 2024

This feature is in early access

Access to this feature is limited to a small number of customers while we continue to develop Automatic License Provisioning. Contact us if you're interested in joining the early access program (EAP).

SCIM automatically syncs users and groups from your identity provider with Redgate, supporting automation of license management in the Portal.

Once enabled:

  • The names and emails of users selected during the set up process will be synced.
  • The names and members of groups selected during set up will also be synced.
  • Future changes to these users and groups will be pushed to Redgate.
  • Synchronized users and groups will be visible in the Portal.
  • License automation through provisioning rules will be enabled in the Portal.

For more information about the SCIM protocol, see https://scim.cloud/.

Prerequisites

  • Customers who have configured SSO can use this service. If you have not done so already, instructions for how to set up SSO for your identity provider are provided here
  • The service is compatible with most of the SCIM protocol and has been tested against Microsoft Entra ID. Other identity providers should work.
  • You will need to be sufficiently privileged to configure SCIM in your identity provider, as well as be able to add a TXT record to your domain's DNS entry to prove ownership. If you do not, please refer this documentation to a colleague who does.
  • The IDs for users must be stable and consistent between your SSO and SCIM configuration. i.e. the OIDC sub claim value returned via SSO for a user must match the externalId attribute value SCIM provides for them.

How to set up SCIM

If you are using Microsoft Entra ID, see Configuring SCIM with Microsoft Entra ID for a detailed walkthrough with screenshots.


To generate a token for SCIM:

  1. Navigate to https://ssoadmin.red-gate.com/settings.
  2. Press the Setup SCIM button and then press Continue to get past the initial screen.
  3. Enter a name for the token and press Generate Token.
  4. Copy out the Tenant URL and Secret Token. The secret token should be considered sensitive and should be revoked if leaked.


Revoking a SCIM Token

The tokens generated in step 2 are sensitive and should be revoked if leaked. There are two ways to revoke these tokens. Note that revoking a token still in use by your IdP will interrupt SCIM syncing, although will not affect already-synced users and groups.

Revoking a known token

If you know the value of a token, it can be revoked using https://ssoadmin.red-gate.com/userdirectory/tokens/revoke. This does not require any permissioning or DNS entry change, so is useful if you come across a token value that you shouldn't have access to.

Revoking tokens in your organization

Generated tokens are listed at https://ssoadmin.red-gate.com/userdirectory/tokens and can be revoked from this page. 








Didn't find what you were looking for?

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal