Automated User Provisioning (AUP) uses SCIM to keep the Cloud Console aligned with your organization’s identity provider (IdP). The following sections summarize how AUP relates to SAML SSO, what you can sync, and where to find setup procedures for your IdP. AUP lets you synchronize user and group data in real time from your IdP to subscribed services, such as the Cloud Console. AUP uses SCIM (System for Cross-domain Identity Management), an open standard that ensures changes to user permissions, additions, or removals made in the IdP are reflected immediately in the Cloud Console. This removes the need for manual updates or waiting for user-initiated events like SAML SSO logins, and it supports a more efficient, accurate user management workflow. Although SCIM can synchronize in two directions, CoreWeave AUP uses one-way synchronization: the IdP is the source of truth, and data flows only from the IdP to the Cloud Console.Documentation Index
Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
Use this file to discover all available pages before exploring further.
How SCIM differs from SAML SSO
SAML SSO lets users sign in securely and supports Just-In-Time (JIT) provisioning, where accounts are created on first sign-in. SCIM requires SAML SSO and goes further by syncing entire directories, including hundreds of users and their group memberships, in real time. Users and groups appear automatically in the Cloud Console without individual invitations or first-time SAML sign-ins. SCIM handles user provisioning and de-provisioning, while SAML handles authentication.Users and groups
AUP supports two core resource types:- Users: Creates new users, updates profile fields (first name, last name, status), and deactivates users in your IdP.
- Groups: Syncs group memberships and group definitions for better access control. Only flat groups are supported; nested groups (groups whose member lists include other groups) are not supported and cause provisioning errors.
Key use cases
- Provision users: When you assign a user to the app in the IdP, the user is automatically created in the Cloud Console.
- Update profiles: When you change attributes, first name, last name, or active status in the IdP, those changes overwrite the matching values in the Cloud Console.
- Deactivate users: When you remove a user from a group assigned to the application in the IdP, the user is promptly deactivated in the Cloud Console, so only authorized users retain access.
- Sync groups: You can sync group memberships for application-specific group management beyond access control. To sync a group, you must explicitly add it to the push list in the IdP.
- Force Sync (Okta-specific): Okta’s “force sync” feature lets admins manually push updates, which triggers a synchronization of user attributes between Okta and the Cloud Console. This updates user attributes but doesn’t activate or deactivate accounts. For more information, see Okta’s guide.
Setting up SCIM
After you configure SAML SSO, set up SCIM to synchronize users and groups from the IdP to the Cloud Console. Complete the following steps:- Enable SCIM in the Cloud Console: Because SCIM controls organization-wide user data, you must explicitly enable it.
- Enable SCIM in the IdP: In your IdP, open the Provisioning section in the application configuration. This is usually next to the Single Sign-On (SSO) section.
- Configure the SCIM API base URL: This URL is usually prefixed with the organization ID in the Cloud Console.
- Select synchronization options: Choose to push new users, push profile updates, and push groups, depending on the level of synchronization you want.
- Authentication: Set up a bearer token for secure communication between the IdP and the Cloud Console.
- Assign users and groups: In the IdP, assign users and groups to the SCIM-enabled application to provision them in the Cloud Console.