No results for ""
EXPAND ALL
  • Home
  • Getting started
  • Integrations
  • SDKs
  • Guides
  • API docs
launchdarkly.com

GIVE DOCS FEEDBACK

Enabling SCIM provisioning

Read time: 4 minutes
Last edited: Feb 23, 2024

Overview

This topic explains how to enable SCIM user provisioning to work with your SSO-enabled LaunchDarkly account. SCIM facilitates user provisioning, which means your IdP can use it to create, update, and deactivate members in LaunchDarkly.

Prerequisites

User provisioning with SCIM is an Enterprise feature

SCIM is only available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

To complete this procedure, you must have the following prerequisites:

  • You must be a LaunchDarkly Admin or Owner.
  • You must have enabled SSO. To do this, read Configuring SAML SSO.

You may have only one IdP linked to your LaunchDarkly account at once. If you need to change providers, disconnect the original provider by following the workflow below and enable a different one through your IdP.

You cannot deactivate an account member using SCIM deprovisioning if you added the member to your LaunchDarkly account before you enabled SCIM provisioning or SSO.

Configuring SCIM

LaunchDarkly has a SCIM API available to allow for user provisioning of account members from IdPs. The SCIM API is only supported for the OAuth2 authorization type. Not all supported third-party providers support user provisioning through SCIM. To learn more about how LaunchDarkly treats users imported from the IdP, read Understanding default roles.

We have pre-built integrations with the following providers:

You may also configure your provider manually with the following information. Specific names for these fields may vary by IdP:

  • SCIM Base URI: https://app.launchdarkly.com/trust/scim/v2
  • Authorization method: oauth2
  • Authorization URI: https://app.launchdarkly.com/trust/oauth/authorize
  • Access token URI: https://app.launchdarkly.com/trust/oauth/token
  • Unique Identifier field for account members: userName

If you configure your provider manually, you will also need a client ID and client secret. Contact Support and we will generate these for you.

You can also use the REST API: OAuth2 Clients

You cannot create new custom attributes through the SCIM API, but you can set two existing custom attributes for SCIM users:

  • role
  • customRole

To learn more about these attributes, read Custom roles.

For an in-depth guide on how to use custom roles with IdPs, read Creating custom roles.

To learn more about how to remediate SCIM assertion consumer errors, read SSO SCIM Error Messages.

Disconnecting SCIM

You can disconnect SCIM at any time.

To disconnect SCIM:

  1. Log into LaunchDarkly as an administrator.
  2. Navigate Account settings, then Security and scroll to the "SSO management" section.
  3. Click Disconnect SCIM.

Team sync with SCIM

Team sync with SCIM is an Enterprise feature

Team sync with SCIM is only available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

Team sync is available for Okta

Team sync is only available for Okta. Team sync is not available for other IdPs.

LaunchDarkly allows you to sync groups from Okta to teams within your account. You can use this feature to create a new team or link an existing team with the same name to an Okta group.

After you turn on team sync:

  • You can only create new teams through Group Push in Okta, and not from the LaunchDarkly UI.
  • You can only make changes to your synced teams' names and memberships through Okta. You can still maintain unsynced teams in the LaunchDarkly UI.
  • You will still manage team permissions from within LaunchDarkly. To learn how to add custom roles to a team, read Managing team permissions. Team maintainers and team description will also be managed from the LaunchDarkly UI.
  • A member's individual built-in or custom roles will aggregate with the custom roles that you apply to their teams.
  • LaunchDarkly will not delete any existing teams.

To use team sync, you must have administrator access in LaunchDarkly and you must have configured SCIM for your LaunchDarkly account.

To turn on team sync in LaunchDarkly:

  1. Log in to LaunchDarkly as an owner or admin.

  2. Navigate to the "SSO management" section of the Security tab on the Account settings page.

  3. Click Turn on team sync. A confirmation dialog appears.

  4. Click Turn on team sync.

    The "Turn on team sync" option within the "SSO management" section of the "Security" tab.
    The "Turn on team sync" option within the "SSO management" section of the "Security" tab.

You can now manage teams within the admin panel of Okta. Teams you have synced with Okta have limited team management permissions in LaunchDarkly. To learn more about managing teams in Okta, read Using Okta to manage LaunchDarkly teams with SCIM.

We recommend using either SCIM-based or SAML-based member role and team assignment. If you use both SAML and SCIM methods at the same time, team assignment set up with the SAML custom attribute (teamKey) will be overridden by SCIM team assignment.