July 12, 2025 - SCIM provisioning available

SCIM provisioning now available for automated user and group management across CoreWeave services

Update SUNK SCIM provisioning for SUNK is now available via nsscache. This enables automated, standards-based user and group management from your Identity Provider (IdP) to CoreWeave clusters.

Overview

SCIM (System for Cross-domain Identity Management) provisioning for SUNK is now available via nsscache, enabling automated, standards-based user and group management from your Identity Provider (IdP) to CoreWeave clusters.

What is SCIM?

SCIM is an open standard protocol that automates the exchange of user identity information between identity domains or IT systems. It provides a standardized way to create, update, and deactivate user accounts across multiple systems.

Benefits

• Automated User Management: Automatically sync users and groups from your IdP
• Standards-Based: Uses industry-standard SCIM protocol
• Reduced Manual Work: Eliminates manual user creation and management
• Consistent Access Control: Ensures consistent permissions across systems
• Audit Trail: Maintains clear audit trails for user changes

Prerequisites

• SUNK cluster with version 6.4.1 or later
• Identity Provider that supports SCIM 2.0
• Network connectivity between your IdP and CoreWeave clusters

Supported Identity Providers

• Azure Active Directory
• Okta
• Google Workspace
• OneLogin
• Ping Identity
• Other SCIM 2.0 compliant providers

Configuration

1. Enable SCIM in SUNK

Add the following to your Helm values:

Example

sunk:
  scim:
    enabled: true
    provider: "nsscache"
    endpoint: "https://your-idp.com/scim/v2"
    token: "your-scim-token"
    syncInterval: "5m"

2. Configure nsscache

The nsscache component handles the SCIM synchronization:

Example

nsscache:
  config:
    scim:
      baseUrl: "https://your-idp.com/scim/v2"
      bearerToken: "your-scim-token"
      userFilter: "active eq true"
      groupFilter: "active eq true"
    mapping:
      username: "userName"
      email: "emails[type eq 'work'].value"
      firstName: "name.givenName"
      lastName: "name.familyName"
      groups: "groups.display"

3. Deploy the Configuration

Example

helm upgrade sunk coreweave/sunk \
  --set sunk.scim.enabled=true \
  --set sunk.scim.endpoint="https://your-idp.com/scim/v2" \
  --set sunk.scim.token="your-scim-token"

User Mapping

Default Attribute Mapping

SCIM Attribute	SUNK Field	Description
userName	Username	Primary login identifier
emails[type eq 'work'].value	Email	Work email address
name.givenName	First Name	User's first name
name.familyName	Last Name	User's last name
groups.display	Groups	Group memberships
active	Status	Account active/inactive status

Custom Attribute Mapping

You can customize attribute mapping in your configuration:

Example

nsscache:
  config:
    mapping:
      username: "custom.userId"
      email: "custom.workEmail"
      groups: "custom.departmentGroups"

Group Management

Automatic Group Sync

Groups are automatically synchronized from your IdP:

• Group Creation: New groups in IdP are created in SUNK
• Group Updates: Changes to group names or members are synced
• Group Deletion: Deleted groups are removed from SUNK

Group Permissions

Groups can be mapped to Slurm accounts and partitions:

Example

nsscache:
  config:
    groupMapping:
      "engineering": "eng-account"
      "data-science": "ds-account"
      "research": "research-account"