configcat · laliconfigcat · May 20, 2025 · Jan 15, 2025 · Jan 16, 2025 · Jan 16, 2025
@@ -19,3 +19,4 @@ website/i18n/*
 .dccache
 
 website/api/reference/*
+website/api/scim/*
@@ -1,24 +1,48 @@
 import type { SidebarsConfig } from '@docusaurus/plugin-content-docs';
 
-const infoId = 'reference/configcat-public-management-api';
+const papiInfoId = 'reference/configcat-public-management-api';
+const scimInfoId = 'scim/configcat-user-provisioning-scim-api';
 
-const generated = require('./reference/sidebar.ts')
-    .map(item => {
-      return {
-        ...item, 
-        items: item.items.filter(sub => sub.id !== infoId),
-      }
-    });
+const papiSidebar = require('./reference/sidebar.ts').map((item) => {
+  return {
+    ...item,
+    items: item.items.filter((sub) => sub.id !== papiInfoId),
+  };
+});
+
+const scimSidebar = require('./scim/sidebar.ts').filter((item) => item.id !== scimInfoId);
 
 const sidebars: SidebarsConfig = {
   api: [
     {
-      label: 'Introduction',
-      type: "doc",
-      id: infoId,
+      type: 'category',
+      label: 'Public Management API',
+      collapsible: true,
+      collapsed: true,
+      items: [
+        {
+          label: 'Introduction',
+          type: 'doc',
+          id: papiInfoId,
+        },
+        ...papiSidebar,
+      ],
+    },
+    {
+      type: 'category',
+      label: 'User Provisioning (SCIM) API',
+      collapsible: true,
+      collapsed: true,
+      items: [
+        {
+          label: 'Introduction',
+          type: 'doc',
+          id: scimInfoId,
+        },
+        ...scimSidebar,
+      ],
     },
-    ...generated,
   ],
 };
 
-export default sidebars;
+export default sidebars;
@@ -135,4 +135,5 @@ To let users authenticate via SAML, you need to assign individual users or group
 
 ## 6. Next Steps
 
-- Configure the [auto-assignment of users](../../auto-assign-users.mdx).
+- Configure [User provisioning (SCIM)](../../scim/overview.mdx)
+- or configure the [auto-assignment of users](../../auto-assign-users.mdx) if you don't want to provision your users with your Identity Provider.
@@ -140,4 +140,5 @@ To let users authenticate via SAML, you need to assign individual users or group
 
 ## 6. Next Steps
 
-- Configure the [auto-assignment of users](../../auto-assign-users.mdx).
+- Configure [User provisioning (SCIM)](../../scim/overview.mdx)
+- or configure the [auto-assignment of users](../../auto-assign-users.mdx) if you don't want to provision your users with your Identity Provider.
@@ -164,4 +164,5 @@ To let users authenticate via SAML, you need to assign the newly created applica
 
 ## 6. Next Steps
 
-- Configure the [auto-assignment of users](../../auto-assign-users.mdx).
+- Configure [User provisioning (SCIM)](../../scim/overview.mdx)
+- or configure the [auto-assignment of users](../../auto-assign-users.mdx) if you don't want to provision your users with your Identity Provider.
@@ -8,7 +8,7 @@ This section describes how you can enable SAML Single Sign-On (SSO) for your org
 
 SAML SSO allows your team members to sign up and log in to ConfigCat via their company accounts using your own Identity Provider (IdP).
 
-Go to the [Authentication Preferences](https://app.configcat.com/organization/authentication/) page to set up SAML SSO. You need to be an
+Go to the [Authentication & Provisioning](https://app.configcat.com/organization/authentication/) page to set up SAML SSO. You need to be an
 organization admin to do this.
 
 ## Prerequisites

@@ -0,0 +1,105 @@
+---
+id: entra-id
+title: (Beta) User Provisioning (SCIM) with Entra ID (Azure AD)
+description: This is a step-by-step guide on how to set up and configure Entra ID (Azure AD) as a User provisioning (SCIM) provider for your organization.
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+:::info
+**Beta Feature**: SCIM provisioning is in public beta. It has been thoroughly tested with various Identity Providers. 
+We're now collecting feedback from real-world usage to fine-tune the experience. Share your feedback [here](https://configcat.com/support).
+:::
+
+## Introduction
+
+Each Identity Provider requires specific information to configure a SCIM integration. The following guide will walk you through how you can connect ConfigCat with Entra ID via SCIM.
+
+## 1. Create an Entra ID Enterprise Application
+
+:::info
+If you already configured your organization to use Entra ID as a SAML provider, you can use the existing Entra ID Enterprise application and skip to the [next step](#2-configure-provisioning-scim-for-the-azure-enterprise-application).
+:::
+
+- Log in to the <a href="https://portal.azure.com/" target="_blank">Azure Portal</a>, go to the `Entra ID` resource, select `Enterprise applications`, and click on `New application`.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/new_application.png" alt="Entra ID enterprise applications" decoding="async" loading="lazy"/>
+
+- Click on `Create your own application`.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/create_application.png" alt="Entra ID create own application" decoding="async" loading="lazy"/>
+
+- Enter a descriptive `App name`, select the `Integrate any other application you don't find in the gallery (Non-gallery)` option, then click `Create`.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/app_name.png" alt="Entra ID app name" decoding="async" loading="lazy"/>
+
+The next step will guide you on how to setup Entra ID to synchronize your Identity Provider users and Identity Provider groups to ConfigCat.
+
+## 2. Configure Provisioning (SCIM) for the Azure Enterprise Application
+
+- On the `Manage` section of the application, select `Provisioning`, then click on  `New Configuration`.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/new_config.png" width="1293" alt="Entra ID new SCIM configuration" decoding="async" loading="lazy"/>
+
+- Gather the `SCIM URL` and the `Token` from the <a href="https://app.configcat.com/organization/authentication/" target="_blank" rel="noopener noreferrer">Authentication & Provisioning</a> page in ConfigCat.
+
+  <img className="bordered-img" src="/docs/assets/scim/dashboard/token_generate_url.png" alt="SCIM URL and token" decoding="async" loading="lazy"/>
+
+  <img className="bordered-img" src="/docs/assets/scim/dashboard/token.png" alt="SCIM token" decoding="async" loading="lazy"/>
+
+- Add the `SCIM URL` as the `Tenant URL` and the `Token` as the `Secret token` on the New provisioning configuration page in Azure. Click on the `Create` button.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/scim_meta.png" alt="Entra ID SCIM URL and token" decoding="async" loading="lazy"/>
+
+- Select the `Provisioning` menu and in the Mappings, configure the mapping for Users and Groups.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/mappings.png" alt="Entra ID SCIM mappings" decoding="async" loading="lazy"/>
+
+  - Mapping for Users:
+    Configure only the following mappings and remove all other mappings if there are any.
+
+    | Provisioning Attribute  | Microsoft Entra ID Attribute                                |
+    | ----------------------- | ----------------------------------------------------------- | 
+    | externalId              | objectId                                                    |
+    | userName                | userPrincipalName                                           |
+    | displayName             | displayName                                                 |
+    | active                  | Switch([IsSoftDeleted], , "False", "True", "True", "False") |
+
+    <img className="bordered-img" src="/docs/assets/scim/entra_id/user_mappings.png" alt="Entra ID SCIM User mappings" decoding="async" loading="lazy"/>
+
+  - Mapping for Groups:
+    Configure only the following mappings and remove all other mappings if there are any.
+
+    | Provisioning Attribute  | Microsoft Entra ID Attribute |
+    | ----------------------- | ---------------------------- | 
+    | externalId              | objectId                     |
+    | displayName             | displayName                  |
+    | members                 | members                      |
+
+    <img className="bordered-img" src="/docs/assets/scim/entra_id/group_mappings.png" alt="Entra ID SCIM Group mappings" decoding="async" loading="lazy"/>
+
+## 3. Assign Users/Groups to the Enterprise Application
+
+To start user provisioning with Entra ID, you need to assign groups to the Enterprise application.
+
+- Select `Users and groups` on the `Manage` section of the menu, and click `Add user/group`. Then, you can select the groups you want to assign.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/add_user.png" alt="Entra ID users and groups" decoding="async" loading="lazy"/>
+
+:::caution
+In ConfigCat, you can assign permissions only to groups that are synchronized from your Identity Provider, 
+therefore it's important to select groups for synchronization rather than individual users.
+:::
+
+## 4. Start provisioning
+
+- Go to the `Overview` page of the provisioning configuration and click on `Start provisioning`.
+
+  <img className="bordered-img" src="/docs/assets/scim/entra_id/start_provisioning.png" alt="Entra ID start provisioning" decoding="async" loading="lazy" />
+
+- Wait until the first provisioning is finished, and you should see each synced group and user on ConfigCat's <a href="https://app.configcat.com/organization/authentication/" target="_blank" rel="noopener noreferrer">Authentication & Provisioning</a> page.
+
+## 5. Next Steps
+
+- Continue with [assigning ConfigCat permissions to the synced groups](../overview.mdx#groups).
@@ -0,0 +1,120 @@
+---
+id: okta
+title: (Beta) User Provisioning (SCIM) with Okta
+description: This is a step-by-step guide on how to set up and configure Okta as a User provisioning (SCIM) provider for your organization.
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+:::info
+**Beta Feature**: SCIM provisioning is in public beta. It has been thoroughly tested with various Identity Providers. 
+We're now collecting feedback from real-world usage to fine-tune the experience. Share your feedback [here](https://configcat.com/support).
+:::
+
+## Introduction
+
+Each Identity Provider requires specific information to configure a SCIM integration. The following guide will walk you through how you can connect ConfigCat with Okta via SCIM.
+
+## 1. Create an Application in Okta
+
+- Log in to <a href="https://login.okta.com/" target="_blank">Okta</a>, go to the admin Dashboard, select `Applications`, and click on `Create App Integration`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/create_app.png" alt="Okta applications" decoding="async" loading="lazy" />
+
+- Select `SAML 2.0` as the Sign-in method.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/app_type.png" alt="Okta select SAML" decoding="async" loading="lazy"/>
+
+- Enter a descriptive `App name`, then click `Next`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/app_name.png" alt="Okta app name" decoding="async" loading="lazy"/>
+
+The next step will guide you on how to collect the information required for the appearing `Configure SAML` section.
+
+## 2. Configure SAML authentication for the Okta Application
+
+- Follow our [SAML configuration guide for Okta](../../../saml/identity-providers/okta/#2-configure-saml-for-the-okta-application).
+
+## 3. Configure Provisioning (SCIM) for the Okta Application
+
+- Click on `Edit` at the `App Settings`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/edit_settings.png" alt="Okta edit app settings" decoding="async" loading="lazy"/>
+
+- Check the `Enable SCIM provisioning` checkbox, and hit `Save`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/enable_provisioning.png" alt="Okta enable provisioning" decoding="async" loading="lazy"/>
+
+- Gather the `SCIM URL` and the `Token` from the <a href="https://app.configcat.com/organization/authentication/" target="_blank" rel="noopener noreferrer">Authentication & Provisioning</a> page in ConfigCat.
+
+  <img className="bordered-img" src="/docs/assets/scim/dashboard/token_generate_url.png" alt="SCIM URL and token" decoding="async" loading="lazy"/>
+
+  <img className="bordered-img" src="/docs/assets/scim/dashboard/token.png" alt="SCIM token" decoding="async" loading="lazy"/>
+
+- Select the `Provisioning` tab and click on the `Edit` button.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/edit_provisioning.png" alt="Okta edit provisioning" decoding="async" loading="lazy"/>
+
+- On the `SCIM Connection` section configure the following:
+  - Add the `SCIM URL` from the ConfigCat Dashboard as the `SCIM connector base URL`.
+  - Set the `Unique identifier field for users` field to `email`.
+  - Check the following `Supported provisioning actions`:
+    - `Push New Users`
+    - `Push Profile Updates`
+    - `Push Groups`
+  - Select the `HTTP Header` as the `Authentication Mode`.
+  - Set the `Token` from the ConfigCat Dashboard as the `HTTP Header Authorization`.
+  - Click on `Save`.<br/><br/>
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/scim_connection.png" alt="Okta SCIM connection" decoding="async" loading="lazy"/>
+
+- Select the `To App` menu item and click on `Edit`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/to_app_edit.png" alt="Okta To App edit" decoding="async" loading="lazy"/>
+
+- Check the `Create Users`, `Update User Attributes`, and `Deactivate Users` checkboxes, and hit `Save`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/to_app_save.png" alt="Okta To App save" decoding="async" loading="lazy"/>
+
+## 4. Assign Users/Groups to Okta Application
+
+To select users for synchronization into ConfigCat, you have to assign their Okta group to the Application.
+
+- Select the `Assignments` tab, click on the `Assign` dropdown, and select `Assign to Groups`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/assign_groups.png" alt="Okta assign groups" decoding="async" loading="lazy"/>
+
+- Click the `Assign` button on those groups whose members you want to sync to ConfigCat.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/assign_group.png" alt="Okta assign group" decoding="async" loading="lazy"/>
+
+The above action starts the synchronization of the selected users but not their groups.
+
+:::caution
+Okta does not support using the same Okta group for assignments and for syncing group-member relations. 
+You need to create a separate group that is used exclusively for syncing group-member relations.
+These groups are called `Push Groups` in Okta. 
+
+To learn more, see <a href="https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-about-group-push.htm" target="_blank" rel="noopener noreferrer">Okta's documentation about Push Groups</a>.
+:::
+
+To enable group syncing, create separate groups for the users that you want to sync and add these new groups to the application as `Push Groups`.
+
+- Go to the `Push Groups` tab, click on the `Push Groups` dropdown, and select `Find groups by name`.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/push_groups.png" alt="Okta push groups" decoding="async" loading="lazy"/>
+
+- Select the group that you want to push, and click on the `Save` button.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/add_push_group.png" alt="Okta add push group" decoding="async" loading="lazy"/>
+
+- Make sure that the created push group's status is active.
+
+  <img className="bordered-img" src="/docs/assets/scim/okta/push_group_active.png" alt="Okta push group active" decoding="async" loading="lazy"/>
+
+- You should see each synced group and user on ConfigCat's <a href="https://app.configcat.com/organization/authentication/" target="_blank" rel="noopener noreferrer">Authentication & Provisioning</a> page.
+
+## 5. Next Steps
+
+- Continue with [assigning ConfigCat permissions to the synced groups](../overview.mdx#groups).
Original file line number	Diff line number	Diff line change
Expand Up		@@ -19,3 +19,4 @@ website/i18n/*
		.dccache

		website/api/reference/*
		website/api/scim/*