coder icon indicating copy to clipboard operation
coder copied to clipboard
verified publisher icon coder

Automated user provisioning via SCIM

Open tjcran opened this issue 3 years ago • 5 comments

Problem

Teams who use an identity provider, such as OKTA, will want to manage users directly via that platform. While a user in their IDP org can sign up on Coder with OIDC and be automatically provisioned as a user, they cannot be automatically removed from Coder if they are removed in the IDP.

Definition of Done

Admins should be able to remove a user in their IDP (that is connected to Coder via OIDC and SCIM) and have the user automatically be deprovisioned in Coder. This avoids them needing to remove the user in two separate places.

This should be a paid enterprise feature.

tjcran avatar Aug 13 '22 17:08 tjcran

This needs a little more detail / investigation. I'm guessing we're talking about implementing the SCIM REST API for Coder server. Do we only need to implement the delete endpoint? What is the detailed subset we need?

spikecurtis avatar Aug 16 '22 21:08 spikecurtis

Okta's guide: https://developer.okta.com/docs/guides/scim-provisioning-integration-overview/main/

spikecurtis avatar Aug 16 '22 21:08 spikecurtis

@spikecurtis @coadler is implementing this in v1 and his solution is OSS portable. I'll let Colin fill in the implementation details here.

tjcran avatar Aug 16 '22 22:08 tjcran

In v1 I only implemented the POST/PATCH endpoints for creation/deletion and left the GET endpoints stubbed out. The GET endpoints can be faster for bulk importing users that already exist in Coder, but I decided to leave them out for now since they were a decent bit of extra work.

coadler avatar Aug 17 '22 01:08 coadler

#3992

kylecarbs avatar Sep 12 '22 16:09 kylecarbs