SCIM Integration
Introduction
What is SCIM?
System for Cross-domain Identity Management (SCIM) is a protocol designed to make managing identities in multi-domain environments easier. It defines a standard schema and set of RESTful APIs that allow identity data to be communicated between:
- Identity Providers (IdPs) such as Okta, Azure AD, Ping Identity, OneLogin, etc.
- Service Providers or applications like Testkube, Slack, G Suite, etc.
Key SCIM Concepts
- Users – Represent individual identities in SCIM.
- Groups – Collections of users or nested groups, often mapped to
teams
orroles
in different applications. - Schemas – Define the standard attributes (e.g.,
userName
,displayName
,emails
) and extension attributes to represent identity data. - Endpoints – SCIM uses RESTful endpoints for CRUD operations on Users and Groups, typically exposed under a base path such as
/scim/v2/Users
or/scim/v2/Groups
.
SCIM Client vs. SCIM Server
SCIM Client
A SCIM Client is typically the Identity Provider that initiates requests to manage user and group data:
- Creates or updates users in the target application (the SCIM server).
- Adds or removes users from groups.
- Deprovisions (deletes) users when access is no longer needed.
Examples:
- Okta acts as a SCIM client by sending user-provisioning requests to Testkube.
- Azure AD automatically creates or updates user accounts in Testkube via SCIM.
SCIM Server
A SCIM Server is a Service Provider that exposes SCIM endpoints:
- Receives requests from SCIM clients (IdPs) and updates its local user directory or membership data accordingly.
- Provides responses with updated resource data (users or groups).
Examples:
- Testkube acts as the SCIM server, listening for inbound provisioning requests and updating its internal user/team membership.
Testkube SCIM Integration
Why Integrate SCIM with Testkube?
-
Centralized Identity Management
Use your existing IdP (e.g., Okta, Azure AD) to add and remove users or teams in Testkube automatically. By consolidating identity management, you reduce duplication of user records and simplify the overall provisioning process across various tools and platforms. -
Reduced Manual Effort
Eliminates the need for separate local user management within Testkube. Instead of juggling multiple accounts and configurations, administrators can rely on the IdP to handle the entire lifecycle of user accounts and group memberships. -
Security and Compliance
Ensures that user de-provisioning is consistent across all systems, reducing risk. This uniform approach helps organizations meet audit and compliance requirements by clearly demonstrating how access is revoked when an individual no longer needs it.
If SCIM server is enabled, users cannot log in to Testkube before they are provisioned via SCIM.
Architecture Overview
-
Identity Provider (SCIM Client)
Users and Groups are configured in the Identity Provider and SCIM (Client) integration provisions them automatically in Testkube. -
Testkube SCIM Endpoints (SCIM Server)
Testkube exposes a separate SCIM server with/Users
and/Groups
(and other standard) endpoints to accept provisioning requests from SCIM Client. -
Internal User Management
Testkube translates SCIM calls into internal operations (creating teams, adding/removing users, assigning roles, etc.) and maps SCIM Groups into Testkube Teams. -
Authentication and Authorization
Testkube SCIM server uses Bearer Token authentication to validate incoming requests and enforce access control, so an API token needs to be generated and configured in the IdP's SCIM client.
Configuration
To enable and configure the SCIM server in Testkube Enterprise, follow these steps:
1. Enable the SCIM Server
Choose one of the following methods:
-
Environment variable:
SCIM_SERVER_ENABLED=true
-
Helm values (testkube-enterprise chart):
testkube-cloud-api:
scim:
enabled: true
2. Set the Default Organization
This defines the organization to which new SCIM users and groups will be assigned.
-
Environment variable:
SCIM_SERVER_DEFAULT_ORGANIZATION=my-org
-
Helm values:
testkube-cloud-api:
scim:
# This should be equal to the organization name (not slug or ID)
defaultOrganization: my-org
Tip: Use the bootstrap feature to create the default organization if it doesn't exist yet.
3. Configure the SCIM Server Port (Optional)
The default SCIM server port is 8081
. You can change it with:
-
Environment variable:
SCIM_SERVER_PORT=9090
-
Helm values:
testkube-cloud-api:
scim:
port: 9090
4. Set the Authentication Token
Secure your SCIM server using a token. Choose one of the following methods:
Option A: Direct token configuration
-
Environment variable:
SCIM_SERVER_AUTH_TOKEN=your-secure-token
-
Helm values:
testkube-cloud-api:
scim:
auth:
token: your-secure-token
Option B: Use a Kubernetes secret
-
Create a Kubernetes secret:
kubectl create secret generic scim-auth-token \
--from-literal=SCIM_AUTH_TOKEN=your-secure-token -
Reference it in Helm values:
testkube-cloud-api:
scim:
auth:
secretRef: scim-auth-token
Warning: If no token is set, the SCIM server will run without authentication.
5. Expose the SCIM Server
Ensure the SCIM server is accessible from your Identity Provider. SCIM Ingress can be enabled using the following Helm values:
testkube-cloud-api:
scimIngress:
enabled: true
6. Configure SCIM Client in Your Identity Provider
Set up the SCIM integration in your IdP (e.g., Okta, Azure AD) by pointing it to the Testkube SCIM endpoints. Ensure that the auth token (if set) is included in requests as a bearer token.
SCIM is a complement to custom Identity Provider for SSO, it does not replace it.
Roles and Entitlements
For assigning roles to Users and Groups, Testkube SCIM server checks does the resource (User or Group) have the roles
field and assigns the roles to the User or Group based on the value of the roles
field.
The roles
field should be an array of strings where each string is a Role Uniform Resource Name.
Example:
{
"roles": [
"urn:testkube:role:organization:*:member",
"urn:testkube:role:environment:my-env:admin"
]
}
This example would assign a User or Group the member
role in all organizations and the admin
role in the my-env
environment.
For assigning Users and Groups to Testkube Environments or Resource Groups, Testkube SCIM server checks does the resource (User or Group) have the entitlements
field and assigns the User or Group to an Environment or Resource Group based on the value of the entitlements
field.
The entitlements
field should be an array of strings where each string is an Entitlement Uniform Resource Name.
Example:
{
"entitlements": [
"urn:testkube:entitlement:environment:my-env",
"urn:testkube:entitlement:resource-group:my-rg"
]
}
This example would assign a User or Group to the my-env
environment and the my-rg
resource group.
If an Environment with the specified name does not exist, it will be created.
When SCIM is enabled all member roles/permissions are managed through the mechanism described above, and the corresponding role/permission management is disabled in the Testkube Dashboard.
Not supported
PATCH
operations are currently not supported
Additional Resources
- SCIM Specification (RFC 7643 & 7644)
- Okta SCIM Provisioning Documentation
- Configure SCIM provisioning using Microsoft Entra ID (Azure Active Directory)
This document reflects the general guidelines and best practices for SCIM integration with Testkube. Refer to the specific version of Testkube you are running for exact configuration steps and endpoint availability.