Add SCIM integration docs (#18094)

Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud>
2025-04-10 08:07:34 +00:00 · 2024-08-19 18:16:06 +02:00 · 2024-08-19 18:16:06 +02:00 · ea10e1333f
commit ea10e1333f
parent bacd83a365
1 changed files with 70 additions and 2 deletions
--- a/integrations/cloud-authentication/metadata.yaml
+++ b/integrations/cloud-authentication/metadata.yaml
@ -33,7 +33,7 @@

      ### Netdata Configuration Steps
      1. Click on the Space settings cog (located above your profile icon)
-      2. Click on the **Authentication** tab
+      2. Click on the **User Management** section and access **Authentication and Authorization** tab.
      3. On the Okta SSO card, click on **Configure**
      4. Fill in the [required credentials](https://developer.okta.com/docs/guides/find-your-app-credentials/main/), you get them from **Okta Admin Portal**:
          - **Issuer URL** you can get it from your profile icon on top, e.g. `https://company-name.okta.com`
@ -82,7 +82,7 @@

      ### Netdata Configuration Steps
      1. Click on the Space settings cog (located above your profile icon)
-      2. Click on the **Authentication** tab
+      2. Click on the **User Management** section and access **Authentication and Authorization** tab.
      3. On the OIDC card, click on **Configure**
      4. Fill in the required credentials:
          - **Issuer URL** the Authorization Server Issuer URL, e.g. `https://my-auth-server.com/`
@ -103,3 +103,71 @@

      ### Reference
      https://openid.net/developers/how-connect-works/
+
+- id: 'scim'
+  meta:
+    name: 'SCIM'
+    link: 'https://netdata.cloud'
+    categories:
+      - auth
+    icon_filename: 'scim.svg'
+  keywords:
+    - scim
+    - identity-management
+  overview:
+    authentication_description: "The System for Cross-domain Identity Management (SCIM) specification is designed to simplify the management of user identities in cloud-based applications and services."
+    authentication_limitations: ''
+  setup:
+    description: |
+      ### Prerequisites
+      - A Netdata Cloud account
+      - Admin access to the Space
+      - The Space must be on a paid plan
+      - OIDC/SSO integration must already be enabled in one of your Spaces
+
+      ### Netdata Configuration Steps
+      1. Click on the Space settings cog (located above your profile icon).
+      2. Click on the **User Management** section and access **Authentication and Authorization** tab.
+      3. In the SCIM card, click on **Activate**.
+      4. Depending on your situation:
+         - If OIDC/SSO integration is already enabled in your Space, click **Activate**.
+         - If you already have a SCIM integration in another Space and want to create a linked integration here, enter the SCIM token from the original integration and click **Activate**.
+      5. If the setup is successful, you will receive two parameters:
+         - **Base URL**: Use this URL as the base URL for your SCIM client.
+         - **Token**: Use this token for Bearer Authentication with your SCIM client.
+
+      ### Rotating the SCIM Token
+      You can rotate the token provided during SCIM integration setup if needed.
+
+      Steps to rotate the token:
+      1. Click on the Space settings cog (located above your profile icon).
+      2. Click on the **User Management** section and access **Authentication and Authorization** tab.
+      3. In the already configured SCIM card, click **Configure**.
+      4. Click **Regenerate Token**.
+      5. If successful, you will receive a new token for Bearer Authentication with your SCIM client.
+
+      ### Supported Features
+      This integration adheres to SCIM v2 specifications. Supported features include:
+
+      - User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
+      - Patch operations: Supported
+      - Bulk operations: Not supported
+      - Filtering: Supported (max results: 200)
+      - Password synchronization: Not supported, as we rely on SSO/OIDC authentication
+      - eTag: Not supported
+      - Authentication schemes: OAuth Bearer Token
+
+      ### User Keying Between SCIM and OIDC
+      Our SCIM (System for Cross-domain Identity Management) integration utilizes OIDC (OpenID Connect) to authenticate users.
+      To ensure users are correctly identified and authenticated between SCIM and OIDC, we use the following mapping:
+
+      - SCIM externalID ↔ OIDC sub
+
+      This mapping ensures that the identity of users remains consistent and secure across both systems.
+
+      **Important**: Ensure that your OIDC and SCIM systems follow this mapping strictly.
+      The externalID in SCIM must correspond to the subfield in OIDC. Any deviation from this mapping may result
+      in incorrect user identification and authentication failures.
+
+      ### Reference
+      [SCIM Specification](https://scim.org)