Skip to content

SSO and SCIM

SAML single sign-on authenticates users through an organisation identity provider. SCIM provisions and deactivates users and groups. They solve different parts of identity lifecycle and should be tested independently.

Dataplicity supports SAML for organisation single sign-on. Copy the entity ID, assertion consumer URL, metadata, certificate, and claim fields shown for your organisation.

Configure SSO

  1. Keep a tested organisation-admin break-glass account.
  2. Add the Dataplicity application to the identity provider.
  3. Copy the current entity ID, assertion consumer URL, and metadata values requested by the identity provider.
  4. Configure required identity and group claims.
  5. Test with a small pilot group and an incognito session.
  6. Verify role, organisation routing, logout, and failure behaviour.
  7. Enable mandatory SSO only after break-glass and rollback tests.

Domain and login hints can route users to the correct provider. A claim arriving successfully does not guarantee the intended Dataplicity role or scope, so test effective access.

Provision with SCIM

  1. Enable SCIM for the organisation.
  2. Generate the current SCIM credential and store it in the identity provider.
  3. Provision one test user and group.
  4. Verify create, update, group membership, and deactivation.
  5. Enable role mapping only when the organisation has an approved allowlist.

SCIM-managed fields are read-only in Dataplicity. Role payloads cannot assign organisation admin or superuser. Deactivation should remove active access without deleting the audit record.

Rollback and troubleshooting

  • Login loop: compare entity ID, assertion consumer URL, identity-provider URL, certificate, clock, and domain routing.
  • User authenticates but sees nothing: inspect organisation membership, effective role, group mapping, and resource scope.
  • SCIM update rejected: check token, base URL, immutable identity fields, and managed state.
  • Mandatory SSO lockout: use the tested break-glass path and revert the organisation policy.

Rotate SSO and SCIM credentials after exposure, supplier change, or administrator departure. Record configuration changes in the security review process.