SCIM provisioning πŸ”’

Manage users and groups externally

SCIM (System for Cross-domain Identity Management) is an open standard for managing user identity information.

It allows you to manage your users and groups outside of Budibase using any Identity and Access Management service that supports SCIM. Examples include Azure Active Directory and Okta.

Changes to users and groups made in your external IAM can be synced across to Budibase users and groups through a process known as provisioning.

It is worth noting that this is a one way process. When SCIM is enabled, you will no longer be able to edit users and groups within Budibase; it will only be possible to make changes via your external service.

Unlocking SCIM provisioning

Contact sales to enquire about upgrading to the enterprise plan

Enable SCIM

Login to the Budibase portal, and click on the Settings tab. Select the Auth tab.

Scroll to the bottom of the page, and under SCIM toggle Activated on. The provisioning URL and Token will become available to quickly copy using the clipboard buttons to the right of the fields.


Enforced SSO

When using SCIM, users can only log-in to Budibase using SSO. With this in mind, we recommend that you Enforce SSO πŸ”’.

Example: Azure Active Directory

This example will look at provisioning active directory users from Azure into Budibase

Step 1 - Create an enterprise application

First we need to create an Enterprise application to manage the users and groups that we want to provision for Budibase.

Log-in to Azure Active Directory, and click Enterprise applications under the Manage section.

Create new application

Create new application

Click on New application, then click on Create your own application. Select the (Non-gallery) option and give your app a name.

Assuming you already have some users in your active directory, you can now add them to your enterprise application.

Click on your application, and then click Users and groups under the Manage section. You can then click on Add user/group to add users individually or user groups.

Step 2 - Provisioning

Under the Manage section click on Provisioning. Next select 'Automatic' under Provisioning Mode. Copy and paste the URL and Token from the Budibase settings page as the admin credentials.

Click Test Connection to verify everything is correct, and make sure to click the Save button at the top.

You can now click Start provisioning to sync your users and groups from your Azure enterprise app into Budibase.

Under the Users tab in the Budibase portal, you can now see the users that have synced across.

There is also a note in this section indicating that users are being synced from your AD.

If you provide a first and last name for your Azure users, this will also be passed through, however other settings such as User roles and App roles must be set within Budibase.

Step 3 - Setup SSO and give app access

Finally we need to make sure that provisioned users can log-in to Budibase. In this case you can follow the SSO with Azure AD guide.

Furthermore make sure you have given your users and groups Application access.

Giving Carol basic app access

Giving Carol basic app access