Enable SCIM provisioning
Read time: 4 minutes
Last edited: Oct 02, 2024
Overview
This topic explains how to enable SCIM user provisioning to work with your SSO-enabled LaunchDarkly account. SCIM facilitates user provisioning, which means your IdP can use it to create, update, and deactivate members in LaunchDarkly.
Prerequisites
SCIM is only available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.
To complete this procedure, you must have the following prerequisites:
- You must be a LaunchDarkly Owner or Admin.
- You must have enabled SSO. To do this, read Configure SAML SSO.
You may have only one IdP linked to your LaunchDarkly account at once. If you need to change providers, disconnect the original provider by following the workflow below and enable a different one through your IdP.
You cannot deactivate an account member using SCIM deprovisioning if you added the member to your LaunchDarkly account before you enabled SCIM provisioning or SSO.
Configure SCIM
LaunchDarkly has a SCIM API available to allow for user provisioning of account members from IdPs. The SCIM API is only supported for the OAuth2 authorization type. Not all supported third-party providers support user provisioning through SCIM. To learn more about how LaunchDarkly treats users imported from the IdP, read Default initial role.
We have pre-built integrations with the following providers:
You may also configure your provider manually with the following information. Specific names for these fields may vary by IdP:
- SCIM Base URI:
https://app.launchdarkly.com/trust/scim/v2
- Authorization method:
oauth2
- Authorization URI:
https://app.launchdarkly.com/trust/oauth/authorize
- Access token URI:
https://app.launchdarkly.com/trust/oauth/token
- Unique Identifier field for account members:
userName
If you configure your provider manually, you will also need a client ID and client secret. start a Support ticket and we will generate these for you.
You can also use the REST API: OAuth2 Clients
You cannot create new custom attributes through the SCIM API, but you can set two existing custom attributes for SCIM users:
role
customRole
To learn more about these attributes, read Custom roles.
For an in-depth guide on how to use custom roles with IdPs, read Creating custom roles.
To learn more about how to remediate SCIM assertion consumer errors, read SSO SCIM Error Messages.
Disconnect SCIM
You can disconnect SCIM at any time.
To disconnect SCIM:
- Log in to LaunchDarkly as an Owner or Admin.
- Click the gear icon in the left sidenav to view Organization settings.
- Click Security and scroll to the "SSO management" section.
- Click Disconnect SCIM.
Team sync with SCIM
Team sync with SCIM is only available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.
Team sync is only available for Okta. Team sync is not available for other IdPs.
LaunchDarkly allows you to sync groups from Okta to teams within your account. You can use this feature to create a new team or link an existing team with the same name to an Okta group.
After you turn on team sync:
- You can only create new teams through Group Push in Okta, and not from the LaunchDarkly UI.
- You can only make changes to your synced teams' names and memberships through Okta. You can still maintain unsynced teams in the LaunchDarkly UI.
- You will still manage team permissions from within LaunchDarkly. To learn how to add custom roles to a team, read Manage team permissions. Team maintainers and team description will also be managed from the LaunchDarkly UI.
- A member's individual built-in or custom roles will aggregate with the custom roles that you apply to their teams.
- LaunchDarkly will not delete any existing teams.
To use team sync, you must have administrator access in LaunchDarkly and you must have configured SCIM for your LaunchDarkly account.
To turn on team sync in LaunchDarkly:
-
Log in to LaunchDarkly as an Owner or Admin.
-
Click the gear icon in the left sidenav to view Organization settings.
-
Click Security and scroll to the "SSO management" section.
-
Click Turn on team sync. A confirmation dialog appears.
-
Click Turn on team sync.
You can now manage teams within the admin panel of Okta. Teams you have synced with Okta have limited team management permissions in LaunchDarkly. To learn more about managing teams in Okta, read Use Okta to manage LaunchDarkly teams with SCIM.
We recommend using either SCIM-based or SAML-based member role and team assignment. If you use both SAML and SCIM methods at the same time, team assignment set up with the SAML custom attribute (teamKey
) will be overridden by SCIM team assignment.