Directory sync

Organizations that use an SSO identity provider that supports SCIM-based user provisioning can automate user management.

Requirements

  • SCIM-based directory system

  • Groups in that directory system that map to the following Subsalt roles

    • Admin

    • Viewer

Configuration

To configure directory sync, find the SCIM-based integration that matches your identity provider here.

Email [email protected] with a request to configure directory sync for that provider and we will send you a WorkOS link that enables you to complete the integration by following the documentation for your identity provider.

After you have completed the documented steps for your identity provider and initial provisioning has completed, the groups you created in your directory for the Subsalt roles should be visible in the WorkOS dashboard under the Groups tab.

From the Directory Settings tab, press Configure role assignment and assign your groups to their respective roles in Subsalt.

By default, all users are assigned the Viewer role if their role cannot be derived from group role assignments.

Sync schedule

Subsalt will attempt to synchronize with WorkOS at the top of every hour. Your directory system will have its own independent provisioning interval with WorkOS.

The maximum delay in seeing updates from your directory system in Subsalt will be 1 hour + your directory systems provisioning interval. For example, Azure Entra ID triggers provisioning every 40 minutes so the max delay is 1 hour 40 minutes.

Sync events

When the following events occur in your directory system they will be reflected in Subsalt the next time the system synchronizes with WorkOS.

User added

The user will be created in Subsalt. They will be assigned the role associated with their group.

User updated

The user's first name, last name, and/or role will be updated in Subsalt.

User removed

The user will be deactivated in Subsalt.

Directory integration disabled

All users associated with the directory will be deactivated in Subsalt.

Users outside of the directory

It is still possible to add/remove/update users directly in the Subsalt application. If the user is added to the directory system at a later date it will be "adopted" as a directory user the next time Subsalt synchronizes with WorkOS and all sync events will apply going forward.

All users marked as External are ignored by directory sync.

PreviousUser managementNextDisaster recovery

Last updated