6901e21700
* Docs: Create a landing page for SCIM provisioning * Fix docs warnings * Update docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Apply suggestions from code review Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Address some of the feedback and simplify few parts * Remove repetitive wording * Don't use possessive form, again * Address the feedback from PR * Docs: Manage users and teams via SCIM (#102478) * Docs: Manage users and teams via SCIM * Docs: Manage users and teams via SCIM * Refactor managing users parts * Add team sync docs * Update _index.md * Apply suggestions from code review Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Clarify how user identity linking is working * Fix formatting * Docs: Configure SCIM with Azure and Okta (#102582) * Docs: Configure SCIM with Azure and Okta * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Add a warning about migration from team sync * Remove the SAML setup instructions from SCIM docs * Update _index.md * Update _index.md * Apply suggestions from code review Co-authored-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Sarah Constant <sarahleejane@users.noreply.github.com> * Address PR feedback * Stop using possessive form * Add a note mentioning that users/teams can not be manually deleted * Update _index.md * Docs: SCIM configuration options (#103085) * Add a section to clarify how SCIM works with other IdPs * Update _index.md * Update _index.md --------- Co-authored-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Sarah Constant <sarahleejane@users.noreply.github.com>
7.5 KiB
| description | keywords | labels | menuTitle | title | weight | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Learn how to use SCIM provisioning to synchronize users and groups from your identity provider to Grafana. SCIM enables automated user management, team provisioning, and enhanced security through real-time synchronization with your identity provider. |
|
|
Configure SCIM provisioning | Configure SCIM provisioning | 300 |
Configure SCIM provisioning
System for Cross-domain Identity Management (SCIM) is an open standard that allows automated user provisioning and management. With SCIM, you can automate the provisioning of users and groups from your identity provider to Grafana.
{{< admonition type="note" >}} Available in Grafana Enterprise and Grafana Cloud Advanced. {{< /admonition >}}
{{< admonition type="note" >}}
This feature is behind the enableSCIM feature toggle.
You can enable feature toggles through configuration file or environment variables.
For more information, refer to the feature toggles documentation. {{< /admonition >}}
Benefits
{{< admonition type="note" >}} SCIM provisioning only works SAML authentication. Other authentication methods aren't supported. {{< /admonition >}}
SCIM offers several advantages for managing users and teams in Grafana:
- Automated user provisioning: Automatically create, update, and disable users in Grafana when changes occur in your identity provider
- Automated team lifecycle management: Automatically create teams when new groups are added, update team memberships, and delete teams when groups are removed from your identity provider
- Reduced administrative overhead: Eliminate manual user management tasks and reduce the risk of human error
- Enhanced security: Automatically disable access when users leave your organization
Identity provider consistency
Grafana follows the best practice of not mixing different identity providers and SSO methods. When you enable SCIM in Grafana, you must use the same identity provider for both authentication and user provisioning. This means that users attempting to log in through other authentication methods like LDAP or OAuth will be blocked from accessing Grafana.
Users with Basic Auth credentials and those using their grafana.com accounts will still be able to log in successfully.
Configure SCIM in Grafana
The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as environment variables.
| Setting | Required | Description | Default |
|---|---|---|---|
user_sync_enabled |
Yes | Enable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider. | true |
group_sync_enabled |
No | Enable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled. | false |
{{< admonition type="warning" >}} Team Sync Compatibility:
- SCIM group sync (
group_sync_enabled = true) and Team Sync cannot be enabled simultaneously - You can use SCIM user sync (
user_sync_enabled = true) alongside Team Sync - For more details about migration and compatibility, see SCIM vs Team Sync {{< /admonition >}}
Example SCIM configuration
[auth.scim]
user_sync_enabled = true
group_sync_enabled = false
Supported identity providers
The following identity providers are supported:
How it works
The synchronization process works as follows:
- Configure SCIM in both your identity provider and Grafana
- Your identity provider sends SCIM requests to the Grafana SCIM API endpoint
- Grafana processes these requests to create, update, or deactivate users and teams, and synchronize team memberships
Comparison with other sync methods
Grafana offers several methods for synchronizing users, teams, and roles. The following table compares SCIM with other synchronization methods to help you understand the advantages:
| Sync Method | Users | Teams | Roles | Automation | Key Benefits | Limitations | On-Prem | Cloud |
|---|---|---|---|---|---|---|---|---|
| SCIM | ✅ | ✅ | ⚠️ | Full | Complete user and team lifecycle management with automatic team creation | Requires SAML authentication; uses Role Sync for basic roles | ✅ | ✅ |
| Team Sync | ❌ | ⚠️ | ❌ | Partial | Syncs team memberships to existing teams | Requires manual team creation; no team lifecycle management | ✅ | ✅ |
| Active LDAP Sync | ✅ | ❌ | ❌ | Full | Background synchronization of LDAP users | Limited to LDAP environments | ✅ | ❌ |
| Role Sync | ❌ | ❌ | ✅ | Full | Full automation of basic role assignment | Limited to basic roles only | ✅ | ✅ |
| Org Mapping | ❌ | ❌ | ⚠️ | Full | Full automation of basic role assignment per organization | Limited to basic roles only; on-premises only | ⚠️ | ❌ |
Key advantages
- Comprehensive user and team automation: SCIM provides full automation for user and team provisioning, while role management is handled separately through Role Sync
- Dynamic team creation: Teams are created automatically based on identity provider groups
- Near real-time synchronization: Changes in the identity provider are reflected based on the provider synchronization schedule
- Enterprise-ready: Designed for large organizations with complex user management needs