Skip to main content

Set up SCIM betaenterprise

The System for Cross-Domain Identity Management (SCIM) makes user data more secure and simplifies the admin and end-user lifecycle experience by automating user identities and groups. You can create or disable user identities in your Identity Provider (IdP), and SCIM will automatically make those changes in near real-time downstream in dbt Cloud.

Prerequisites

To configure SCIM in your dbt Cloud environment:

  • You must be on an Enterprise plan.
  • You must be using Okta as your SSO provider.
  • You must have permissions to configure the account settings in dbt Cloud and change application settings in Okta.
  • If you have IP restrictions enabled, you must add Okta's IPs to your allowlist.

Supported features

The currently available supported features for SCIM are:

  • User provisioning and de-provisioning
  • User profile updates
  • Group creation and management
  • Importing groups and users

When users are provisioned, the following attributes are supported

  • Username
  • Family name
  • Given name

The following IdPs are supported in the dbt Cloud UI:

  • Okta
  • Entra ID (coming soon)

If your IdP isn’t on the list, it can be supported using dbt Cloud APIs (docs coming soon).

SCIM configuration for Okta beta

Please complete the setup SSO with Okta steps before configuring SCIM settings.

Set up dbt Cloud

To retrieve the necessary dbt Cloud configurations for use in Okta:

  1. Navigate to your dbt Cloud Account settings.
  2. Select Single sign-on from the left-side menu.
  3. Scroll to the bottom of your Okta configuration settings and click Enable SCIM.
    SCIM enabled in the Okta configuration settings.SCIM enabled in the Okta configuration settings.
  4. Record the SCIM base URL field for use in a later step.
  5. Click Create SCIM token.
  6. In the pop-out window, give the token a name that will make it easily identifiable. Click Save.
    Give your token and identifier.Give your token and identifier.
  7. Copy the token and record it securely, as it will not be available again after you close the window. You must create a new token if you lose the current one.
    Give your token and identifier.Give your token and identifier.
  8. (Optional) Manual updates are turned off by default for all SCIM-managed entities, including the ability to invite new users manually. This ensures SCIM-managed entities stay in sync with the IdP, and we recommend keeping this setting disabled.
    • However, if you need to make manual updates (like update group membership for a SCIM-managed group), you can enable this setting by clicking Allow manual updates.
    Enabling manual updates in SCIM settings.Enabling manual updates in SCIM settings.
License mapping

dbt Cloud maps SCIM groups to its own groups, so you can assign licenses to SCIM groups using the group name as an identifier. Currently, setting a license type directly as an attribute on the SCIM group isn't supported.

Set up Okta

  1. Log in to your Okta account and locate the app configured for the dbt Cloud SSO integration.

  2. Navigate to the General tab and ensure Enable SCIM provisioning is checked or the Provisioning tab will not be displayed.

    Enable SCIM provisioning in Okta.Enable SCIM provisioning in Okta.

  3. Open the Provisioning tab and select Integration.

  4. Paste the SCIM base URL from dbt Cloud to the first field, then enter your preferred Unique identifier field for users — we recommend userName.

  5. Click the checkboxes for the following Supported provisioning actions:

    • Push New Users
    • Push Profile Updates
    • Push Groups

  6. From the Authentication mode dropdown, select HTTP Header.

  7. In the Authorization section, paste the token from dbt Cloud into the Bearer field.

    The completed SCIM configuration in the Okta app.The completed SCIM configuration in the Okta app.

  8. Ensure that the following provisioning actions are selected:

    • Create users
    • Update user attributes
    • Deactivate users
    Ensure the users are properly provisioned with these settings.Ensure the users are properly provisioned with these settings.

  9. Test the connection and click Save once completed.

You've now configured SCIM for the Okta SSO integration in dbt Cloud.

Existing Okta integrations

If you are adding SCIM to an existing Okta integration in dbt Cloud (as opposed to setting up SCIM and Oauth concurrently for the first time), there is some functionality you should be aware of:

  • Users and groups already synced to dbt Cloud will become SCIM-managed once you complete the SCIM configuration.
  • You can leverage SCIM to import and manage existing dbt Cloud groups. Update the groups in your IdP with the same naming convention used for dbt Cloud groups. New users, groups, and existing profile changes will be automatically imported into dbt Cloud.
    • Ensure the Import users and profile updates and Import groups checkboxes are selected in the Provisioning settings tab in the Okta SCIM configuration.
    • Read more about this feature in the Okta documentation.
0
Edit this page