SCIM provisioning overview¶
Lightrun user and group provisioning using the System for Cross-Domain Identity Management (SCIM) protocol allows you to automatically manage and communicate user data and permissions between identity providers (IdP) like Okta or Azure AD and a service provider like Lightrun. Lightrun supports Cross-domain Identity Management (SCIM 2.0) provisioning allows admins to manage users directly from an IdP, removing the need to manage users in both locations in parallel.
Guidelines for managing users using SCIM provisioning¶
The following rules and guidelines apply for managing users using SCIM:
- Only one IdM should be integrated with our SCIM.
- When you create users in SCIM, the users are displayed as read-only in the User Management tab in the Lightrun Portal.
- You cannot remove SCIM managed users from the Management Portal.
- By default, the SCIM users are added to the default Agent Pool and receive user-role permissions.
- You can assign users to different agent pools and they will inherit the roles assigned to the assigned agent pool.
- Existing Lightrun users can be migrated to SCIM by selecting the Provision existing users with SCIM toggle in the SCIM page.
Provisioning existing Lightrun users using SCIM¶
Lightrun supports provisioning existing users through SCIM. This means you can shift the responsibility of managing your current Lightrun users to a chosen identity provider. However, it's important to ensure that these Lightrun users have been premanaged through SCIM before initiating the migration process.
- Log in to your Lightrun account.
- Click Settings on the top right-hand side of your screen to navigate to the Identity and Access Management tab > Identity Configuration.
- The Login methods page opens.
- To enable, click SSO toggle and configure SSO as described in SSO.
- To enable, click SCIM toggle.
- Click Provision existing users with SCIM toggle.
- Click Save. The Lightrun users are now managed from your SCIM and disabled in the Lightrun Management Portal.
Provisioning Lightrun groups using SCIM¶
Starting with version 1.51, you can provision Lightrun groups through SCIM in addition to managing Lightrun users. This functionality enables you to delegate the management of Lightrun groups to a supported identity provider (IdP). Before moving group management to SCIM, ensure that you have set up the relevant groups within your IdM that you want to sync with Lightrun.
When a group is created and synchronized via SCIM:
- The group name, along with the assigned users, are automatically synced to Lightrun.
- These details are displayed as read-only on the Identity Management page, under the Groups tab in the Permissions and Access section.
For detailed instructions on setting up SCIM for group provisioning, refer to the documentation specific to your identity provider.
Rules and guidelines for SCIM Group provisioning¶
- Role Assignment: Lightrun roles (e.g., Standard and Privileged) cannot be assigned through SCIM. These must be configured directly in the Lightrun Management Portal.
- Group Duplication: You cannot push a group to Lightrun if it already exists in Lightrun with the same name.
- Group Linking: SCIM does not support linking from Lightrun to Okta (or other identity providers).
- Group Unsyncing: When a group is unlinked in SCIM, its management transtions back to Lightrun.
Get started¶
Lightrun supports SCIM Provisioning with the following identity providers (IdPs):
- SCIM Provisioning using Okta
- SCIM Provisioning using Microsoft Entra ID (Azure AD)
- SCIM Provisioning using Ping Identity