Configure SCIM

System for Cross-domain Identity Management (SCIM) enables user lifecycle management, allowing you to synchronize and manage users directly from your Identity Provider (IdP). SCIM can automatically activate, deactivate, and delete users in GitGuardian based on changes in your IdP.

info

Only user deprovisioning is available. User and team provisioning will be supported in the near future.

Prerequisites

• SCIM requires Single Sign-On (SSO) to be configured first.
• SCIM is only supported for Okta and Microsoft Entra ID at the moment.

SCIM Features

GitGuardian supports:

• User Activation: Automatically reactivate users to your workspace when they are authorized in your IdP.
• User Deactivation: Automatically deactivate users in GitGuardian when they are removed or deactivated in your IdP.
• User Deletion: Automatically delete users in GitGuardian when they are deleted from your IdP.

Enable SCIM in GitGuardian

1. Navigate to Settings > Authentication in your GitGuardian workspace.
2. Under SCIM, toggle the option to enable SCIM integration.
3. Follow instructions of the Set up SCIM with Your IdP section.

Once SCIM is enabled, your users can be synchronized with your IdP, and user deprovisioning can occur automatically.

Unlinked Members

You may see a message indicating that some users are not linked to your IdP. These users won't be managed by SCIM.

• Review the Members List: Check the unlinked users.
• Deactivate if Necessary: Manually deactivate any users who shouldn't have access.

This typically happens for users added before SCIM was enabled or not assigned in your IdP. SCIM only manages linked users.

Set up SCIM in your IdP

To configure SCIM, you will need to provide the SCIM endpoint and configure the corresponding SCIM settings in your IdP. Here's a high-level overview for common IdPs:

Follow the specific steps for your IdP to enable SCIM integration. Most IdPs provide an option to configure SCIM via their API or dashboard settings. You will need to provide:

• GitGuardian SCIM Endpoint: https://api.gitguardian.com/v1/scim/v2 (or https://gitguardian.mycorp.local/exposed/v1/scim/v2 for self-hosted)
• API Token: Use a GitGuardian service account token with member:write permissions.

Each IdP’s SCIM configuration page will have specific instructions. Refer to the documentation for your IdP for details on how to enter the SCIM endpoint and configure API credentials.

Google & Keycloak Users

Google only supports automatic provisioning for specific apps, so SCIM cannot be used for provisioning with Google at this time. However, we are planning to support SCIM for Google and publish our app in the future.

The scim-for-keycloak plugin has a bug that causes confusion with the externalId value, which is used for making SCIM requests to GitGuardian, so it won't work with our SCIM integration. For more details, see the issue here.

Set up procedures

Okta

1. In Okta, navigate to the General settings of your GitGuardian app and check the box for Enable SCIM provisioning.

2. In the Provisioning settings of your Okta app, configure the following:

   • Set the SCIM Connector Base URL to:
     https://api.gitguardian.com/v1/scim/v2 (or https://gitguardian.mycorp.local/exposed/v1/scim/v2 for self-hosted).
   • Use email as the unique identifier field for users.
   • Enable the Push Profile Updates setting.
   • Select HTTP Header for authentication mode and add the service account token in the Authorization HTTP header.

3. Finally, check the Deactivate Users option under the Provisioning to app settings to ensure users are deactivated properly in GitGuardian when unassigned in Okta.

important note

If users are assigned to the Okta app before enabling SCIM, they won’t be deactivated in GitGuardian when unassigned later. To ensure proper deactivation, unassign and reassign these users (or groups) in Okta after enabling SCIM.

Microsoft Entra ID

1. In Microsoft Entra ID (formerly Azure Active Directory), navigate to the Enterprise Applications section.
2. Select your GitGuardian app, then go to Provisioning and set the Provisioning Mode to Automatic.
3. Provide the SCIM API Token and GitGuardian SCIM Endpoint:
   https://api.gitguardian.com/v1/scim/v2 (or https://gitguardian.mycorp.local/exposed/v1/scim/v2 for self-hosted).
4. In the Attribute Mappings section, configure the following mappings to match GitGuardian's SCIM requirements:
   • Target Object Actions: Set actions to Update and Delete for the target object.
   • Attribute Mappings:
     • userName: Map this to userPrincipalName
     • active: Map this to Switch([IsSoftDeleted], , "False", "True", "True", "False")
     • name.givenName: Map this to givenName
     • name.familyName: Map this to surname
     • externalId: Map this to userPrincipalName
5. Save the mapping and sync the users.

important note

When a user is unassigned from the GitGuardian app in Entra ID, no deactivation request is sent. To deactivate, the user must be disabled in Entra ID.

FAQ

What actions does SCIM support in GitGuardian?

SCIM in GitGuardian supports:

• User Activation: Automatically reactivate users to your workspace.
• User Deactivation: Automatically deactivate users when removed from the IdP.
• User Deletion: Automatically delete users when deleted from the IdP.

Can I use SCIM for provisioning teams?

Currently, SCIM supports user activation, deactivation, and deletion. Team provisioning will be available in a future release.

How do I link GitGuardian to my IdP for SCIM?

You will need to configure SCIM in your IdP by entering the provided SCIM endpoint and API token. Each IdP has its own process for linking SCIM integrations. Follow the relevant setup instructions for your IdP.

Does GitGuardian support Just-In-Time (JIT) provisioning with SCIM?

SCIM currently supports user deprovisioning (deactivation and deletion) but does not handle provisioning. JIT provisioning via SSO is used for user provisioning at the moment, while SCIM gives you more control over the user lifecycle for deactivation and deletion.