TaLoN1x
commented
1 year ago Definately a yseful thing
Open webvictim opened 1 year ago
TaLoN1x
commented
1 year ago Definately a yseful thing
gary-mayden
commented
1 year ago We would love to have a SCIM integration as well to at the bare minimum deactivate/lock users in Teleport when they are offboarded in the IDP.
Additional scenarios: IDP Push Groups that can be tied to Teleport roles for real time permission changes with already established access request patterns.
travib
commented
8 months ago Fully agreed. This would be a big win.
webvictim
commented
6 months ago Teleport Enterprise now supports SCIM for Okta: https://goteleport.com/docs/application-access/okta/hosted-guide/#configuring-scim-provisioning
What would you like Teleport to do?
SCIM is a popular standard for passing information about user lifecycles and configuration between an identity provider and an application which consumes the identities. Customers and prospects would like Teleport to support SCIM integration so that if a user is deactivated/deprovisioned inside the identity provider, Teleport can be notified of this in near-realtime and update the user's permissions. In the first instance, this should probably be implemented as immediately locking the user if they're deleted from the identity provider.
What problem does this solve?
Single source of truth for users, confidence that if a user is locked in the identity provider their access will be automatically stopped via Teleport without needing to add a separate lock.
If a workaround exists, please include it.
Write some kind of Teleport plugin and/or IDP API integration which watches users in the IDP and locks them in Teleport if they're deprovisioned. Cumbersome and messy.