Introduction to Automated User Provisioning (AUP)

Learn about Automated User Provisioning on CoreWeave

Automated User Provisioning (AUP) allows for real-time synchronization of user and group data from an Identity Provider (IdP) to subscribed services, such as the Cloud Console. AUP uses SCIM (System for Cross-domain Identity Management), which is an open standard ensuring that changes to user permissions, additions, or removals made in the IdP are reflected immediately in the Cloud Console. This eliminates the need for manual updates or waiting for user-initiated events like SAML SSO logins, providing a more efficient and accurate user management system.

Although SCIM allows for two-way sync, CoreWeave's AUP uses one-way synchronization: the IdP is the source of truth, and data flows only from the IdP to the Cloud Console.

How SCIM differs from SAML SSO

SAML SSO allows users to log in securely and supports Just-In-Time (JIT) provisioning, where accounts are created on first login. SCIM requires SAML SSO but goes further by syncing entire directories, including hundreds of users and their group memberships, in real time. Users and groups appear automatically in the Cloud Console without needing individual invitations or first-time logins via SAML. SCIM handles user provisioning and de-provisioning, while SAML handles authentication.

Users and groups

AUP supports two core resource types:

• Users: Create new users, update profile fields (first name, last name, status), and deactivate users in your IdP.
• Groups: Syncs group memberships and group definitions for better access control.

AUP also supports syncing custom attributes defined in the IdP.

Key use cases

• Provision users: Assign a user to the app in the IdP, and they're automatically created in the Cloud Console.
• Update profiles: Supports updating attributes, first name, last name, active status, and more. Changes to name or status in the IdP overwrite values in the Cloud Console.
• Deactivate users: When a user is removed from a group assigned to the application in the IdP, they are promptly deactivated in the Cloud Console, ensuring that only authorized users retain access.
• Sync groups: Group memberships can be synced, allowing for application-specific group management beyond just access control. To sync a group, it must be explicitly added to the push list in the IdP.
• Force Sync (Okta-specific): Okta's "force sync" feature lets admins manually push updates, which triggers a synchronization of user attributes between Okta and the Cloud Console. This updates user attributes but doesn't activate or deactivate accounts. See Okta's guide for more information.

Setting up SCIM

After configuring SAML SSO, you can set up SCIM to synchronize users and groups from the IdP to the Cloud Console. This involves several steps, including:

1. Enabling SCIM in Cloud Console: Because SCIM controls organization-wide user data, you must explicitly enable it.
2. Enabling SCIM in the IdP: In your IdP, look for the Provisioning section in the application configuration. This is usually found under the Single Sign-On (SSO) section.
3. Configuring the SCIM API Base URL: This URL is usually prefixed with the organization ID in the Cloud Console.
4. Selecting Synchronization Options: Choose to push new users, push profile updates, and push groups, depending on the desired level of synchronization.
5. Authentication: Set up a bearer token for secure communication between the IdP and the Cloud Console.
6. Assigning users and groups: In the IdP, assign users and groups to the SCIM-enabled application to provision them in the Cloud Console.

Next steps

• Learn how to set up AUP by creating a SCIM integration with Okta.
• Learn how to set up AUP by creating a SCIM integration with Microsoft Entra.