6901e21700
* Docs: Create a landing page for SCIM provisioning * Fix docs warnings * Update docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Apply suggestions from code review Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Address some of the feedback and simplify few parts * Remove repetitive wording * Don't use possessive form, again * Address the feedback from PR * Docs: Manage users and teams via SCIM (#102478) * Docs: Manage users and teams via SCIM * Docs: Manage users and teams via SCIM * Refactor managing users parts * Add team sync docs * Update _index.md * Apply suggestions from code review Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Clarify how user identity linking is working * Fix formatting * Docs: Configure SCIM with Azure and Okta (#102582) * Docs: Configure SCIM with Azure and Okta * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Add a warning about migration from team sync * Remove the SAML setup instructions from SCIM docs * Update _index.md * Update _index.md * Apply suggestions from code review Co-authored-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Sarah Constant <sarahleejane@users.noreply.github.com> * Address PR feedback * Stop using possessive form * Add a note mentioning that users/teams can not be manually deleted * Update _index.md * Docs: SCIM configuration options (#103085) * Add a section to clarify how SCIM works with other IdPs * Update _index.md * Update _index.md --------- Co-authored-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Sarah Constant <sarahleejane@users.noreply.github.com>
8.2 KiB
| description | keywords | labels | menuTitle | title | weight | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Learn how to implement SCIM provisioning in Grafana for automated user and team synchronization. SCIM integrates with identity providers like Okta and Azure AD to streamline user management, automate team provisioning, and replace Team Sync. |
|
|
Manage users and teams with SCIM | Manage users and teams with SCIM | 310 |
Manage users and teams with SCIM
{{< admonition type="note" >}} Available in Grafana Enterprise and Grafana Cloud Advanced. {{< /admonition >}}
SCIM streamlines identity management in Grafana by automating user lifecycle and team membership operations. This guide explains how SCIM works with existing Grafana setups, handles user provisioning, and manages team synchronization.
With SCIM, you can:
- Automate user lifecycle from creation to deactivation
- Manage existing users by linking them with identity provider identities
- Automate team lifecycle by automatically creating teams when groups are added, updating team memberships, and deleting teams when groups are removed
- Maintain security through automated deprovisioning
- Replace Team Sync with more robust SCIM group synchronization
User provisioning with SCIM
SCIM provisioning works in conjunction with existing user management methods in Grafana. While SCIM automates user provisioning from the identity provider, users can still be created through SAML just-in-time provisioning when they log in, manually through the Grafana UI, or via automation tools like Terraform and the Grafana API. For the most consistent user management experience, we recommend centralizing user provisioning through SCIM.
{{< admonition type="note" >}}
User provisioning requires user_sync_enabled = true in the SCIM configuration. See Configure SCIM in Grafana for more information.
{{< /admonition >}}
{{< admonition type="warning" >}} After a user is provisioned through SCIM, they cannot be deleted from Grafana - they can only be deactivated through the identity provider. This is important to consider when planning your user management strategy, especially for compliance and data retention requirements. {{< /admonition >}}
For detailed configuration steps specific to the identity provider, see:
How SCIM identifies users
SCIM uses a specific process to establish and maintain user identity between the identity provider and Grafana:
-
Initial user lookup:
- The identity provider looks up users in Grafana using the user's login and the Unique identifier field (configurable at IdP)
- The identity provider expects a single result from Grafana for each user
-
Identity linking:
- The identity provider learns the relationship between the found Grafana user and the Grafana internal ID
- The identity provider updates Grafana with the External ID
- Grafana updates the authentication validations to expect this External ID
-
Authentication validation:
- Grafana expects the SAML integration to return the same External ID in SAML assertions
- This External ID is used to validate that the logged-in user matches the provisioned user
This process ensures secure and consistent user identification across both systems, preventing security issues that could arise from email changes or other user attribute modifications.
Existing Grafana users
{{< admonition type="note" >}} Existing users must be assigned to the Grafana app in the identity provider to maintain access once SCIM is enabled. {{< /admonition >}}
For users who already exist in the Grafana instance:
- SCIM establishes the relationship through the External ID matching process
- Creates a secure link with the identity provider identity
- Preserves all existing settings and access
- Keeps the account active and unchanged until assigned in the identity provider
Handling users from other provisioning methods
To prevent conflicts and maintain consistent user management, disable or restrict other provisioning methods when implementing SCIM. This ensures that all new users are created through SCIM and prevents duplicate or conflicting user records.
-
SAML Just-in-Time (JIT) provisioning:
- Disable
allow_sign_upin SAML settings to prevent automatic user creation - Existing JIT-provisioned users will continue to work but should be migrated to SCIM
- Disable
-
Terraform or API provisioning:
- Stop creating new users through these methods
- Existing users will continue to work but should be migrated to SCIM
- Consider removing or archiving Terraform user creation resources
-
Manual user creation:
- Restrict UI-based user creation to administrators only
- Plan to migrate manually created users to SCIM
New users
For users who don't yet exist in Grafana:
- SCIM creates accounts when users are assigned to Grafana in the identity provider
- Sets up initial access based on identity provider group memberships and SAML role mapping
- No manual Grafana account creation needed
Role management
SCIM handles user synchronization but not role assignments. Role management is handled through Role Sync, and any role changes take effect during user authentication.
Team provisioning with SCIM
SCIM provides automated team management capabilities that go beyond what Team Sync offers. While Team Sync only maps identity provider groups to existing Grafana teams, SCIM can automatically create and delete teams based on group changes in the identity provider.
{{< admonition type="note" >}}
Team provisioning requires group_sync_enabled = true in the SCIM configuration. See Configure SCIM in Grafana for more information.
{{< /admonition >}}
{{< admonition type="warning" >}} Teams provisioned through SCIM cannot be deleted manually from Grafana - they can only be deleted by removing their corresponding groups from the identity provider. {{< /admonition >}}
For detailed configuration steps specific to the identity provider, see:
SCIM vs Team Sync
{{< admonition type="warning" >}} Do not enable both SCIM Group Sync and Team Sync simultaneously as these methods can conflict with each other. However, you can use SCIM for user provisioning while keeping Team Sync for team management until migration support is available. {{< /admonition >}}
Choose one team synchronization method:
- If you enable SCIM Group Sync, disable Team Sync and use SCIM for team management
- If you prefer Team Sync, do not enable SCIM Group Sync
{{< admonition type="warning" >}} Team Sync Migration: Support for migrating from Team Sync to SCIM Group Sync is coming soon. Until this support is released, we recommend keeping your existing Team Sync setup for team management. You can still benefit from SCIM user provisioning capabilities while using Team Sync for team management. {{< /admonition >}}
Key differences
SCIM Group Sync provides several advantages over Team Sync:
- Automatic team creation: SCIM automatically creates Grafana teams when new groups are added to the identity provider
- Automatic team deletion: SCIM removes teams when their corresponding groups are deleted from the identity provider
- Real-time updates: Team memberships are updated immediately when group assignments change
- Simplified management: No need to manually create teams in Grafana before mapping them
How team synchronization works
SCIM manages teams through the following process:
Group assignment:
- User is assigned to groups in the identity provider
- SCIM detects group membership changes
Team creation and mapping:
- Creates Grafana teams for new identity provider groups
- Maps users to appropriate teams
- Removes users from teams when group membership changes
Team membership maintenance:
- Continuously syncs team memberships
- Removes users from teams when removed from groups
- Updates team memberships when groups change