Set up SCIM connection

Scalekit supports user provisioning based on the SCIM protocol. This allows your customers to manage their users automatically through directory providers, simplifying user access and revocation to your app when their employees join or leave an organization.

By configuring their directory provider with your app via the Scalekit admin portal, customers can ensure seamless user management.

1. Enable SCIM provisioning for the organization

   The SCIM provisioning feature should be enabled for that particular organization. You can manually do this via the Scalekit dashboard > organization > overview. The other way, is to provide an option in your app so that organization admins (customers) can enable it within your app.

   Here’s how you can do that with Scalekit. Use the following SDK method to activate SSO for the organization:

   Node.js

   Enable SSO

   const settings = {
     features: [
       {
         name: 'scim',
         enabled: true,
       }
     ],
   };
   
   await scalekit.organization.updateOrganizationSettings(
     '<organization_id>', // Get this from the idToken or accessToken
     settings
   );

   Python

   Enable SSO

   settings = [
       {
           "name": "scim",
           "enabled": True
       }
   ]
   
   scalekit.organization.update_organization_settings(
       organization_id='<organization_id>',  # Get this from the idToken or accessToken
       settings=settings
   )

   Java

   Enable SSO

   OrganizationSettingsFeature featureSSO = OrganizationSettingsFeature.newBuilder()
           .setName("scim")
           .setEnabled(true)
           .build();
   
   updatedOrganization = scalekitClient.organizations()
           .updateOrganizationSettings(organizationId, List.of(featureSSO));

   Go

   Enable SSO

   settings := OrganizationSettings{
       Features: []Feature{
           {
               Name:    "scim",
               Enabled: true,
           },
       },
   }
   
   organization, err := sc.Organization().UpdateOrganizationSettings(ctx, organizationId, settings)
   if err != nil {
       // Handle error
   }

   You can also enable this from the organization settings in the Scalekit dashboard.

2. Enable admin portal for enterprise customer onboarding

   After SCIM provisioning is enabled for that organization, provide a method for configuring a SCIM connection with the organization’s identity provider.

   Scalekit offers two primary approaches:

   • Generate a link to the admin portal from the Scalekit dashboard and share it with organization admins via your usual channels.
   • Or embed the admin portal in your application in an inline frame so administrators can configure their IdP without leaving your app.
   See how to onboard enterprise customers

3. Test your SCIM integration

   To verify that SCIM provisioning is working correctly, create a new user in the directory provider and confirm that it is automatically created in the Scalekit organization’s user list.

   To programmatically list the connected directories in your app, use the following SDK methods:

   Node.js

   List connected directories

   const { directories } = await scalekit.directory.listDirectories('<organization_id>');

   Python

   List connected directories

   directories = scalekit_client.directory.list_directories(organization_id='<organization_id>')

   Java

   List connected directories

   ListDirectoriesResponse response = scalekitClient.directories().listDirectories(organizationId);

   Go

   List connected directories

   directories, err := sc.Directory().ListDirectories(ctx, organizationId)

   The response will be a list of connected directories, similar to the following:

   List connected directories response

   {
     "directories": [
       {
         "attribute_mappings": {
           "attributes": []
         },
         "directory_endpoint": "https://yourapp.scalekit.com/api/v1/directoies/dir_123212312/scim/v2",
         "directory_provider": "OKTA",
         "directory_type": "SCIM",
         "email": "john.doe@scalekit.cloud",
         "enabled": true,
         "groups_tracked": "ALL",
         "id": "dir_121312434123312",
         "last_synced_at": "2024-10-01T00:00:00Z",
         "name": "Azure AD",
         "organization_id": "org_121312434123312",
         "role_assignments": {
           "assignments": [
             {
               "group_id": "dirgroup_121312434123",
               "role_name": "string"
             }
           ]
         },
         "secrets": [
           {
             "create_time": "2024-10-01T00:00:00Z",
             "directory_id": "dir_12362474900684814",
             "expire_time": "2025-10-01T00:00:00Z",
             "id": "string",
             "last_used_time": "2024-10-01T00:00:00Z",
             "secret_suffix": "Nzg5",
             "status": "INACTIVE"
           }
         ],
         "stats": {
           "group_updated_at": "2024-10-01T00:00:00Z",
           "total_groups": 10,
           "total_users": 10,
           "user_updated_at": "2024-10-01T00:00:00Z"
         },
         "status": "IN_PROGRESS",
         "total_groups": 10,
         "total_users": 10
       }
     ]
   }

4. Enterprise users are now automatically provisioned your app

   Scalekit automatically provisions and synchronizes users from the directory provider to your application. The organization administrator configures the synchronization frequency within their directory provider console.

   To retrieve a list of all provisioned users, use the Users API.