scim

Author: grantmiller

docs/vendor/team-management-saml-auth.md

@@ -8,13 +8,17 @@ After starting out with Replicated, most teams grow, adding more developers, sup
 
 Using SAML, everyone on your team logs in with their existing usernames and passwords through your identity provider's dashboard. Users do not need to sign up through the Vendor Portal or log in with a separate Vendor Portal account, simplifying their experience.
 
+### Service Provider Initiated Login
+
+You can start the SAML sign-in flow directly from the Vendor Portal. Go to the SAML login page at `https://vendor.replicated.com/login-saml`. Based on your team's SAML configuration, the Vendor Portal redirects you to your identity provider to complete authentication. IdP-initiated login from your identity provider dashboard is also supported. By default this only works for existing and invited users, however your account team can optionally enable JIT provisioning of users who input email addresses that match your team's domain (this will redirect any email with @domain.com to your IDP for auth.)
+
 ### Enabling SAML in Your Vendor Account
 
 To enable SAML in your Vendor Portal account, you must have an Enterprise plan. For access to SAML, you can contact Replicated through [Support](https://vendor.replicated.com/support). For information about the Enterprise plan, see [pricing](https://www.replicated.com/pricing/).
 
 ### SCIM
 
-Replicated does not implement System for Cross-domain Identity Management (SCIM). Instead, we use SAML to authenticate and create just-in-time user identities in our system. We resolve the username (email address) as the actor and use this to ensure that audit log events follow these dynamically provisioned users. If a user's email address is already associated with a Replicated account, by using your SAML integration to access the Vendor Portal, they automatically leave their current team and join the team associated with the SAML login.
+For automated user provisioning and deprovisioning, you can enable System for Cross-domain Identity Management (SCIM). SCIM requires SAML to be configured first. For more information, see [Manage SCIM Provisioning (Beta)](team-management-scim-provisioning).
 
 ### Compatibility with Two-Factor Authentication
 
@@ -31,8 +35,8 @@ You must retrieve the metadata and x.509 public certificate files from your SAML
 Replicated tests several SAML providers, but the service should be compatible with any SAML 2.0 compliant service provider. We provide full support for the following SAML providers:
 
 * Okta. For more information about integrating Okta with Replicated, see [Configure Okta](#configure-okta).
-
 * OneLogin
+* Duo
 
 
 ## Configure Okta

docs/vendor/team-management-scim-provisioning.mdx

@@ -0,0 +1,308 @@
+# Manage SCIM Provisioning (Beta)
+
+This topic describes how to configure SCIM (System for Cross-domain Identity Management) v2.0 provisioning for the Replicated Vendor Portal.
+
+:::note
+SCIM provisioning is Beta. Features and availability are subject to change.
+:::
+
+## Overview
+
+The Replicated Vendor Portal supports SCIM v2.0 for automated user provisioning and deprovisioning. With SCIM you can:
+
+- Automatically provision users from your identity provider to Replicated
+- Keep user information synchronized between systems
+- Automatically deprovision users when they leave your organization
+- Manage the user lifecycle through your existing identity provider
+
+## Prerequisites
+
+Before you configure SCIM, ensure that:
+
+1. SAML SSO is configured. For more information, see [Manage SAML Authentication](team-management-saml-auth).
+2. Your team has the SAML entitlement enabled.
+3. You have a Vendor Service Account token with permissions to manage team members.
+4. You have administrative access to your identity provider.
+
+## SCIM Endpoints
+
+Base URL: `https://api.replicated.com/vendor/scim/v2`
+
+### Discovery Endpoints
+
+- `GET /ServiceProviderConfig` — SCIM implementation capabilities
+- `GET /ResourceTypes` — Supported resource types (User, Group)
+- `GET /Schemas` — Detailed schema information
+
+### User Management Endpoints
+
+- `GET /Users` — List users with filtering and pagination
+- `POST /Users` — Create users
+- `GET /Users/{userId}` — Get a user (`userId` is the email address)
+- `PATCH /Users/{userId}` — Update user (deactivation only)
+- `PUT /Users/{userId}` — Replace user (deactivation only)
+- `DELETE /Users/{userId}` — Delete user
+
+### Group Endpoints
+
+- `GET /Groups` — Returns an empty list (read-only for compliance)
+
+## Unique Identifier
+
+- Primary identifier: `userName` (must be the user's email address)
+- Resource ID: The `id` in responses is the user's email address
+- Path parameter: `userId` for endpoints like `/Users/{userId}` is the user's email address
+- Uniqueness: Email must be unique within your Replicated team. Updating a user's email via SCIM is not supported; create a new user with the new email and deactivate the old one.
+
+:::tip
+Email precedence:
+1. If any entry in `emails[]` has `primary: true`, that value is used even if `userName` is set.
+2. Otherwise, if `userName` is set, it is used.
+3. Otherwise, if `emails[]` has values, the first `emails[0].value` is used.
+:::
+
+## Authentication
+
+- Scheme: OAuth 2.0 Bearer Token
+- Header: `Authorization: Bearer <YOUR_VENDOR_API_TOKEN>`
+- Token type: Replicated Vendor Service Account token scoped to your team with permissions to manage team members
+- Prerequisite: SAML entitlement must be enabled for SCIM access
+
+Example:
+
+```bash
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://api.replicated.com/vendor/scim/v2/Users
+```
+
+## Identity Provider Configuration
+
+### Okta Configuration
+
+#### Step 1: Add Replicated Application
+1. In the Okta Admin Console, go to **Applications > Applications**.
+2. Create a custom SAML 2.0 application.
+3. Click **Add Integration**.
+
+#### Step 2: Configure SAML
+1. Configure SAML settings as described in [Manage SAML Authentication](team-management-saml-auth).
+2. Ensure SAML is working before you proceed with SCIM.
+
+#### Step 3: Enable SCIM Provisioning
+1. In your Okta account's Replicated application listing, go to the **Provisioning** tab.
+2. Click **Configure API Integration**.
+3. Check **Enable API integration**.
+4. Enter the following settings:
+   - Base URL: `https://api.replicated.com/vendor/scim/v2`
+   - Unique ID: email
+   - Authentication Mode: HTTP
+   - Supported Actions: Import Users, Push New Users, Push Profile Updates (deactivate only)
+   - API Token: Your Replicated Vendor API token
+
+#### Step 4: Configure Provisioning Settings
+1. Go to **Provisioning > To App**.
+2. Enable the following:
+   - Create Users
+   - Update User Attributes
+   - Deactivate Users
+
+#### Step 5: Attribute Mapping
+Configure the following attribute mappings:
+
+| Okta Attribute | Replicated Attribute | Required | Notes |
+| --- | --- | --- | --- |
+| `user.email` | `userName` | Yes | Primary identifier |
+| `user.email` | `emails[0].value` | Recommended | Used if marked primary; otherwise only when `userName` is missing |
+| `user.firstName` | `name.givenName` | Recommended | Used for display purposes |
+| `user.lastName` | `name.familyName` | Recommended | Used for display purposes |
+| `user.displayName` | `displayName` | Optional | Auto-generated if not provided |
+
+Note: Only email is strictly required. If name fields are not provided, users are created but may have incomplete profile information. Internally, Replicated stores names as `firstName` and `lastName`; these map to SCIM `name.givenName` and `name.familyName` respectively.
+
+#### Step 6: Assign Users
+1. Go to the **Assignments** tab.
+2. Assign users or groups who should have access to Replicated.
+3. Users are provisioned to your Replicated team automatically.
+
+## Migrating from Existing User Management
+
+### Pre-SCIM User Synchronization
+
+If your team already has users in Replicated before you enable SCIM, synchronize existing users with your identity provider.
+
+#### Option 1: Automatic User Matching (Recommended)
+1. Before you enable SCIM provisioning, ensure that all existing Replicated users have matching accounts in your identity provider.
+2. Configure SCIM as described above, but do not assign users yet.
+3. Test with a single user:
+   - Assign one existing user to the Replicated app in your identity provider.
+   - The system matches by email and returns the existing user.
+4. Gradually assign all existing users to complete the sync.
+
+#### Option 2: Manual User Migration
+If email addresses do not match exactly or users exist in other teams:
+1. Update email addresses in Replicated or your identity provider so that they match.
+2. For users existing in other Replicated teams:
+   - Domain authorized: The system automatically migrates the existing user's email and creates a new user.
+   - Domain not authorized: Manual intervention is required. Contact support.
+3. Ensure that your SAML domain authorization includes all relevant email domains.
+
+#### Verification Steps
+After migration, verify the setup:
+
+```bash
+# List all users via SCIM to confirm sync
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://api.replicated.com/vendor/scim/v2/Users
+
+# Check a specific user by email
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://api.replicated.com/vendor/scim/v2/Users/[email protected]
+```
+
+### Migration Best Practices
+
+1. Test environment first.
+2. Staged rollout starting with a small group of users.
+3. Communicate the migration timeline.
+4. Document the current user list and permissions before migration.
+5. Monitor for provisioning errors during the first few days.
+
+### Generic SCIM Provider Configuration
+
+For identity providers that support SCIM v2.0:
+
+#### Basic Settings
+
+- SCIM Base URL: `https://api.replicated.com/vendor/scim/v2`
+- Authentication Method: Bearer Token
+- Bearer Token: Your Replicated Vendor API token
+- SCIM Version: 2.0
+
+#### Required Attributes
+
+Minimum required attributes (only email is strictly required):
+
+```json
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "userName": "[email protected]"
+}
+```
+
+Recommended full attribute set:
+
+```json
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "userName": "[email protected]",
+  "emails": [
+    {
+      "value": "[email protected]",
+      "type": "work",
+      "primary": true
+    }
+  ],
+  "name": {
+    "givenName": "John",
+    "familyName": "Doe"
+  },
+  "active": true
+}
+```
+
+## Supported Features
+
+### Supported Operations
+
+- User creation
+- User deactivation
+- User deletion
+- User filtering
+- Pagination
+- Email migration (automatic handling of email conflicts across teams)
+
+### Unsupported Operations
+
+- User reactivation
+- Password management
+- Group management (read-only, returns empty results)
+- Bulk operations
+- Updating user attributes other than deactivation
+
+## Troubleshooting
+
+### Common Issues
+
+#### Authentication errors (401)
+
+- Verify that your API token is valid and has appropriate permissions.
+- Ensure that the token is sent as `Authorization: Bearer YOUR_TOKEN`.
+- Check that your team has the SAML entitlement enabled.
+
+#### User not found errors (404)
+
+- Verify that the email address is correct. SCIM uses the email as `userId`.
+- Ensure that the user belongs to the correct team.
+- Check that SAML domain authorization is configured properly.
+
+#### Email conflicts
+
+The system automatically handles email conflicts when a user exists in any other team if your email domain is authorized for SAML.
+
+If the email domain is authorized for SAML:
+
+- The original user's email is migrated with a `+moved{date}` suffix.
+- A new user is created with the original email in the target team.
+- An email notification is sent to inform the user their account was moved.
+- Migration proceeds automatically.
+
+If the email domain is not authorized for SAML:
+
+- Migration is blocked for security.
+- The API returns the error: "Email is already associated with another team".
+- Manual intervention is required. Contact support or use a different email.
+
+#### Provisioning failures
+
+1. Check SCIM endpoint connectivity.
+2. Verify that all required attributes are being sent.
+3. Ensure that SAML is configured and working.
+4. Review identity provider logs for specific error messages.
+
+### Testing SCIM Integration
+
+#### Manual testing
+
+Use curl to test SCIM endpoints:
+
+```bash
+# Test service provider configuration
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://api.replicated.com/vendor/scim/v2/ServiceProviderConfig
+
+# List users
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://api.replicated.com/vendor/scim/v2/Users
+
+# Create user
+curl -X POST \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Content-Type: application/scim+json" \
+  -d '{
+    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+    "userName": "[email protected]",
+    "emails": [{"value": "[email protected]", "primary": true}],
+    "name": {"givenName": "Test", "familyName": "User"},
+    "active": true
+  }' \
+  https://api.replicated.com/vendor/scim/v2/Users
+```
+
+#### Identity provider testing
+
+1. Test the connection using your identity provider's test feature.
+2. Provision a test user and verify creation.
+3. Deprovision the test user and verify deactivation.
+4. Review both identity provider and Replicated audit logs.
+
+

docs/vendor/team-management.md

@@ -14,6 +14,10 @@ The [Team](https://vendor.replicated.com/team/members) page provides a list of a
 
 All users, including read-only, can see the name of the RBAC role assigned to each team member. When SAML authentication is enabled, users with the built-in read-only policy cannot see the RBAC role assigned to team members.
 
+### SCIM
+
+You can enable System for Cross-domain Identity Management (SCIM) for automated provisioning and deprovisioning. SCIM requires SAML to be configured first. For more information, see [Manage SCIM Provisioning (Beta)](team-management-scim-provisioning).
+
 ## Invite Members
 By default, team administrators can invite more team members to collaborate. Invited users receive an email to activate their account. The activation link in the email is unique to the invited user. Following the activation link in the email also ensures that the invited user joins the team from which the invitation originated.
 
@@ -95,7 +99,7 @@ As a Vendor Portal team admin, you can remove team members, except for the accou
 
 If the team member that you remove added their GitHub username to their Account Settings page in the Vendor Portal to access the Replicated collab repository, then the Vendor Portal also automatically removes their username from the collab repository. For more information, see [Manage Access to the Collab Repository](team-management-github-username).
 
-SAML-created users must be removed using this method to expire their existing sessions because Replicated does not support System for Cross-domain Identity Management (SCIM).
+If SCIM is not enabled, remove SAML-created users using this method to end their existing sessions. If SCIM is enabled, deprovision the user from your identity provider to deactivate the account in Replicated.
 
 To remove a member:
 

sidebars.js

@@ -136,6 +136,7 @@ const sidebars = {
                 'vendor/team-management-two-factor-auth',
                 'vendor/team-management-google-auth',
                 'vendor/team-management-saml-auth',
+                'vendor/team-management-scim-provisioning',
               ],
             },
             'vendor/team-management-slack-config',