Skip to main content

Setup SCIM Provisioning

info

SCIM Provisioning is only available in Appsmith's Enterprise Edition.

This page shows how to configure Appsmith for SCIM to enable the automatic provisioning of users and groups based on your SSO provider.

Prerequisites

  • A self-hosted Appsmith instance. See the installation guides for deploying Appsmith.
  • A SAML SSO provider is configured on your Appsmith instance. See SAML SSO for instructions.

Enable SCIM provisioning on Appsmith

  1. On your instance, go to Admin Settings > Access Control and click Provisioning.
  2. On the User Provisioning & Group Sync page, click Configure.
  3. Copy the SCIM API endpoint URL to add it later in your IdP application.
  4. Under API key to setup SCIM, click the Generate API key button and copy the API key to add it later in your IdP application.
SCIM Provisioning
Configure SCIM in Appsmith

Configure identity provider

To complete the setup, go to your IdP application that is connected to Appsmith and follow the steps below:

  1. On the Active Directory homepage, click Enterprise application on the sidebar and open the SAML application that is already connected to Appsmith.

  2. On the application Overview page, click Provisioning on the sidebar.

  3. On the Provisioning homepage, click Provisioning on the sidebar and follow the steps below:

    a. Select Automatic from the Provision Mode dropdown.

    b. In the Tenant URL field, paste the SCIM API endpoint URL that you copied in Step 3 under Enable SCIM provisioning section.

    c. In the Secret Token field, paste the API key that you copied in Step 4 under Enable SCIM provisioning section.

    d. Click the Test Connection button to check if the added credentials are authorized to enable provisioning.

    e. Expand the Mappings section, click Provision Azure Active Directory Users, and scroll down to Attribute Mappings to configure attributes for users. Delete all the attributes except the following:

    • userPrincipalName
    • displayName
    • Switch([IsSoftDeleted], , "False", "True", "True", "False")

    f. Click Save.

    g. Go back to Mappings on the Provisioning page, click Provision Azure Active Directory Groups, and scroll down to Attribute Mappings to configure attributes for groups. Delete all the attributes except the following:

    • displayName
    • members

    h. Click Save.

    i. Go back to the Provisioning page, turn the toggle On for Provisioning status present at the bottom.

  4. Go to the Overview page on the sidebar, and click the start provisioning button on the navigation bar.

  5. Go to Users and Groups on the sidebar, and click Add user/group to add a user or group to your application. These users or groups get automatically synced and added to your Appsmith instance.

  6. If you want to sync a user or group manually, go to the Provision on Demand from the sidebar, and enter a user or group name in the Select a user or group field.

Once the setup is complete, refresh Appsmith in your browser, and the users and groups from your IdP provider sync in Appsmith. You can check the users and groups in Appsmith under Admin Settings > Access Control > Users/Groups.

caution

All user and group updates must be performed on the Identity Provider (IdP) side only. Avoid making direct changes within Appsmith to prevent data discrepancies. For assistance or inquiries, contact the support team using the chat widget at the bottom right of this page.

See also