root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 142 Packages Projects Releases Wiki Activity

SCIM: update docs to mention SCIM UI (#110906) 

* SCIM: update docs to mention SCIM UI

* simplify

* fix typo

* expand UI section, add UI references to IdP docs

* fix vale warning

* Update docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

---------

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
This commit is contained in:
colin-stuart 2025-09-26 09:20:27 -05:00 committed by GitHub
parent 248b323967
commit 00fb2e9537
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 76 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docs/sources/setup-grafana/configure-security/configure-scim-provisioning/_index.md
View File

@ -71,7 +71,40 @@ When you enable SCIM in Grafana, the following requirements and restrictions app
- Configure `userUID` SAML assertion in [Azure AD](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-azuread/#configure-saml-assertions-when-using-scim-provisioning)
- Configure `userUID` SAML assertion in [Okta](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-security/configure-authentication/saml/configure-saml-with-okta/#configure-saml-assertions-when-using-scim-provisioning)
## Configure SCIM in Grafana
## Configure SCIM using the Grafana user interface
You can configure SCIM in Grafana using the Grafana user interface. To do this, navigate to **Administration > Authentication > SCIM**.
The Grafana SCIM UI provides the following advantages over configuring SCIM in the Grafana configuration file:
- It is accessible by Grafana Cloud users
- It doesn't require Grafana to be restarted after a configuration update
- Using the authentication settings permission allows us to restrict Grafanas access scope rather than relying on an overly permissive role such as Admin.
{{< admonition type="note" >}}
Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. This means that if you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file.
{{< /admonition >}}
### Configure SCIM settings
Sign in to Grafana and navigate to **Administration > Authentication > SCIM**. Here you can configure the following settings:
| Setting | Required | Description | Default |
| ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------- |
| `Enable Group Sync` | No | Enable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled. | `false` |
| `Reject Non-Provisioned Users` | No | When enabled, prevents non-SCIM provisioned users from signing in. Cloud Portal users can always sign in regardless of this setting. | `false` |
| `Enable User Sync` | Yes | Enable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider. | `false` |
The SCIM UI also displays information that may help you configure SCIM in your identity provider, including stack domain, stack ID, and tenant URL.
### Next steps
After configuring SCIM in Grafana, configure your identity provider:
- [Configure SCIM with Okta](configure-scim-with-okta/)
- [Configure SCIM with Azure AD](configure-scim-with-azuread/)
## Configure SCIM using the configuration file
The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as [environment variables](/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#override-configuration-with-environment-variables).

23
docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-azuread/_index.md
View File

@ -61,8 +61,22 @@ To enable SCIM provisioning in Grafana, create a service account and generate a
1. Navigate to **Administration > Users and access > Service accounts**
2. Click **Add service account**
3. Create a new service account with Admin role
4. Create a new token for the newly created service account and save it securely
3. Create a new service account with **Role: "None"**
4. In the service account **Permissions** tab, add these permissions:
**Allow the service account to sync users:**
- `org.users:read`
- `org.users:write`
- `org.users:add`
- `org.users:remove`
**Allow the service account to sync groups:**
- `teams:read`
- `teams:create`
- `teams:write`
- `teams:delete`
5. Create a new token for the newly created service account and save it securely
- This token will be used in the Azure AD configuration
## Configure SCIM in Azure AD
@ -84,6 +98,10 @@ Configure the enterprise application in Azure AD to enable automated user and te
3. Configure the following settings:
- **Tenant URL:**
You can copy the tenant URL directly from the SCIM UI at **Administration > Authentication > SCIM**. Your stack domain and stack ID can also be found in the SCIM UI.
Alternatively, you can construct the URL manually:
- For Grafana Cloud instances:
```
https://{stack-name}.grafana.net/apis/scim.grafana.app/v0alpha1/namespaces/stacks-{stack-id}
@ -94,6 +112,7 @@ Configure the enterprise application in Azure AD to enable automated user and te
https://{your-grafana-domain}/apis/scim.grafana.app/v0alpha1/namespaces/default
```
Replace `{your-grafana-domain}` with your Grafana instance's domain (e.g., `grafana.yourcompany.com`).
- **Secret Token:** Enter the service account token from Grafana
4. Click **Test connection** to verify the configuration

23
docs/sources/setup-grafana/configure-security/configure-scim-provisioning/configure-scim-with-okta/_index.md
View File

@ -60,8 +60,22 @@ To enable SCIM provisioning in Grafana, create a service account and generate an
1. Navigate to **Administration > Users and access > Service accounts**
2. Click **Add service account**
3. Create a new service account with Admin role
4. Create a new token for the newly created service account and save it securely
3. Create a new service account with **Role: "None"**
4. In the service account **Permissions** tab, add these permissions:
**Allow the service account to sync users:**
- `org.users:read`
- `org.users:write`
- `org.users:add`
- `org.users:remove`
**Allow the service account to sync groups:**
- `teams:read`
- `teams:create`
- `teams:write`
- `teams:delete`
5. Create a new token for the newly created service account and save it securely
- This token will be used in the Okta configuration
## Configure SCIM in Okta
@ -83,6 +97,10 @@ To enable user provisioning through SCIM, configure the SCIM integration setting
In the **Integration** tab, configure:
- **SCIM Connector base URL:**
You can copy the complete SCIM Connector base URL directly from the SCIM UI at **Administration > Authentication > SCIM**. This is displayed as the Tenant URL in the UI. Your stack domain and stack ID can also be found in the SCIM UI.
Alternatively, you can construct the URL manually:
- For Grafana Cloud instances:
```
https://{stack-name}.grafana.net/apis/scim.grafana.app/v0alpha1/namespaces/stacks-{stack-id}
@ -93,6 +111,7 @@ In the **Integration** tab, configure:
https://{your-grafana-domain}/apis/scim.grafana.app/v0alpha1/namespaces/default
```
Replace `{your-grafana-domain}` with your Grafana instance's domain (e.g., `grafana.yourcompany.com`).
- **Unique identifier field:** userName
- **Supported provisioning actions:**
- Import New Users and Profile Updates