SCIM User Provisioning

Note

This is a Preview feature. SCIM is only supported in the SingleStore Enterprise Edition.

SingleStore System for Cross Identity Management (SCIM) enables user provisioning from an identity provider to the Cloud Portal and SingleStore database. When SCIM is configured, changes in the identity provider synchronize automatically with the Cloud Portal. For example, assigning a user in the identity provider application automatically adds that user to the organization.

SingleStore SCIM supports SCIM 2.0 protocol. When users are provisioned through SCIM from an identity provider, their default access depends on whether RBAC is enabled:

  • If RBAC is disabled, the system assigns Owner access by default, similar to inviting new users manually.

  • If RBAC is enabled, the system grants the user basic permissions based on the role defined for new users.This provides only limited access unless additional roles or permissions are explicitly assigned.

RBAC is required for managing user permissions both in the SingleStore Helios and the SingleStore database engine.

The following table shows the identity provider application assignments and the corresponding actions in SingleStore Helios:

Identity provider application assignment

SingleStore Helios corresponding action

Add user

Add a user to a SingleStore organization

Remove user

Remove the user from the organization

Add group

Create a new team

Remove group

Remove the team

Add a user to group

Add the user to team

When SCIM is configured with RBAC enabled, adding a group in the identity provider automatically creates a corresponding team in the Cloud Portal. The permissions configured for the team are then automatically granted to users added to the team.

Note

The number of users synchronized by SCIM must not exceed 200 for optimal performance.

Create SCIM Configuration

Perform the following tasks to create a new SCIM configuration:

  1. On the Cloud Portal, select <your_organization> > Organization Details > SCIM.

  2. Select + New SCIM Configuration.

  3. In the New SCIM Configuration Dialog box, enter a Description, and select Generate Secret Token

  4. Copy the generated Secret Token and secure it. The secret token is displayed only once.

  5. Select Save Configuration.

  6. Use the endpoint URL (https://authsvc.singlestore.com/auth/scim/[id]) and the generated bearer token to configure SCIM in the identity provider.

Creating a new SCIM configuration deactivates the existing configuration. Only one SCIM configuration can be active at a time.

Configure an existing SCIM

To generate a new secret token for an existing SCIM configuration, select Configure SCIM. Select Generate Secret Token > Save Configuration. Generating a new secret invalidates the existing secret token.

Deactivate an existing SCIM

To deactivate an existing SCIM configuration, select the ellipsis (three dots) next to the displayed SCIM, and then select Deactivate from the list. Deactivating an existing SCIM configuration does not remove users; it only prevents the synchronization of users and teams from the identity provider.

Activate an existing SCIM

To activate an existing SCIM configuration,  select the ellipsis (three dots) next to the displayed SCIM, and then select Activate from the list. Activating an existing SCIM configuration deactivates other SCIM connections and prevents synchronization of users and teams from the identity provider. It does not remove users.

Remove an existing SCIM

To remove an existing SCIM configuration, select the ellipsis (three dots) next to the displayed SCIM, and then select Remove SCIM from the list. Once the SCIM configuration is removed, the associated users and teams are deleted, and the action cannot be undone.

In this section

Last modified: November 27, 2024

Was this article helpful?