Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Automated User Provisioning (AUP) lets you instantly sync users and groups from your identity provider (IdP) to the Cloud Console, using the SCIM (System for Cross-domain Identity Management) standard. You no longer need to send invites or wait for users to sign in. This guide shows how to set up AUP with Microsoft Entra as the IdP. When you finish, SAML SSO and one-way SCIM are configured, and you can assign Entra users and groups so they sync into CoreWeave IAM.

Prerequisites

You need the following access:
  • Admin access to the CoreWeave Cloud Console.
  • Admin access to the Microsoft Entra dashboard.

Create SAML integration

Configure SAML SSO first, because AUP relies on it for authentication.
  1. Open the Cloud Console and the Microsoft Entra dashboard in separate windows.
    • In the Cloud Console: Navigate to the SAML SSO page and click Configure SAML.
    • In Entra: Open the Microsoft Entra dashboard at entra.microsoft.com.
      • Click Enterprise Apps, select + New Application in the top bar, and select Create your own application.
      • Choose an appropriate name for your CoreWeave organization and select Integrate any other application you don’t find in the gallery (Non-gallery).
      • When you return to the Enterprise Apps page, select your new application and click Single sign on under the Manage menu in the left bar.
    For the next few steps, the Cloud Console displays details for your integration that you need to copy into Entra.
  2. In Entra, select SAML 2.0 under Select a single sign-on method.
  3. Under field 1: Basic SAML Configuration, click Edit.
  4. Copy the ACS URL from the Cloud Console and paste it into Entra’s Reply URL (Assertion Consumer Service URL) field.
  5. Copy the Entity ID from the Cloud Console and paste it into Entra’s Entity ID field.
  6. Under field 2: Attributes and Claims, click Edit.
  7. For each claim under Additional Claims, map the following fields to each Azure value by clicking each claim and editing the top Name field:
    NameValue
    first_nameuser.givenname
    last_nameuser.surname
    emailuser.mail
  8. Under section 3: SAML Certificates, click Edit. On the following menu under Signing Option, set this to Sign SAML Response and Assertion. Click Save to save settings.
  9. Return to section 3: SAML Certificates. Copy the URL from the App Federation Metadata URL field into your clipboard.
  10. Return to the CoreWeave Cloud Console. Click the Metadata URL field and paste the URL you copied from Entra.
  11. In the Cloud Console, click Next and then click Deploy SSO.
  12. Return to Entra, and scroll to the end of the SAML configuration page. Click Test, and then in the Test Single Sign on with your [Enterprise App Name] dialog click Test. You should be prompted to sign in through your Microsoft account into CoreWeave Console. If the test succeeds, you complete sign-in and arrive at the Clusters page.

Configure one-way SCIM

Set up one-way SCIM provisioning so the Cloud Console can receive user and group information from Entra:
  1. In the Cloud Console, on the SCIM Configuration page, toggle Enable SCIM API and Enable Automated User Provisioning. Record the SCIM Base URL and SCIM Token values. You need both later.
  2. In the Cloud Console, create a new SCIM Token with a name of your choice (for example, Entra ID).
  3. In Entra:
    • On your Enterprise App’s left navigation bar, click Provisioning (located under Single Sign On).
    • Click Connect your application under Create configuration.
    • Copy the SCIM Base URL from the Cloud Console and paste this into the Tenant URL field in Entra.
    • Copy the SCIM Token from the Cloud Console and paste it into the Secret token field in Entra.
    • Click Test connection. If the test succeeds, you should see a green alert at the top right corner of your browser window.
    • Click Create.

Assign users and groups

To complete the integration, assign users to a group in your IdP, and then assign the group to your application. Then test the integration by checking whether the users sync to the Cloud Console.
  1. In the Cloud Console, navigate to the Users page to view a list of all users in your organization.
  2. Assign users to a group in Entra:
    • In Entra, click Users and groups on your Enterprise App’s left menu under Manage.
    • Click Add user/group to select the users and groups that should sync with CoreWeave Cloud IAM.
  3. In Entra, toggle the Provisioning Status to On under the Provisioning section. (This step is required when enabling provisioning for the first time.)
  4. In the Cloud Console, refresh the page showing your Users list. The users in the group you just assigned in Entra appear immediately in the Cloud Console.

Map SSH keys for SUNK

If you use SUNK User Provisioning (SUP), you can sync SSH public keys from Entra to CoreWeave so that users can use SSH to connect to SUNK login nodes. This requires creating a custom extension attribute in Entra and mapping it to CoreWeave’s SCIM endpoint.
If you are not using SUNK, skip this section.

Create the SSH key extension attribute

Entra does not include a built-in attribute for SSH keys. You must create a custom extension property on your Enterprise Application’s backing application registration.
  1. In PowerShell, install the Microsoft Graph module if you have not already: 
    Install-Module Microsoft.Graph -Scope CurrentUser
  2. Connect to Microsoft Graph. This operation requires the Application.ReadWrite.All permission: 
    Connect-MgGraph -Scopes "Application.ReadWrite.All"
  3. Find the Object ID of the application registration that backs your CoreWeave Enterprise Application. In the Entra portal, navigate to App registrations > All applications, find your CoreWeave app, and copy the Object ID (not the Application ID).
  4. Create the extension property. Replace [APP-OBJECT-ID] with that object ID: 
    New-MgApplicationExtensionProperty `
  -ApplicationId [APP-OBJECT-ID] `
  -Name "sunkSshKeys" `
  -DataType "String" `
  -TargetObjects @("User")
    Entra generates a prefixed name like extension_[APP-ID-NO-HYPHENS]_sunkSshKeys. This prefixed name is what you reference within Entra (for example, in PowerShell commands and Terraform). CoreWeave’s SCIM endpoint only sees the sunkSshKeys portion after the namespace mapping, so the prefix does not affect provisioning.

Set the SSH key on a user profile

Writing custom extension attributes to user profiles requires the User.ReadWrite.All Microsoft Graph permission. The more limited User.ReadWrite scope is not sufficient for custom extension attributes. To set an SSH key on a user profile, replace [USER-EMAIL] with the user’s email address, replace the extension attribute name with the prefixed name Entra generated, and replace [SSH-PUBLIC-KEY] with the full public key string: 
Update-MgUser -UserId [USER-EMAIL] `
  -AdditionalProperties @{
    extension_[APP-ID-NO-HYPHENS]_sunkSshKeys = "[SSH-PUBLIC-KEY]"
  }
For example, [SSH-PUBLIC-KEY] might look like ssh-ed25519 AAAAC3Nza....

Add the attribute mapping

  1. In Entra, navigate to your CoreWeave Enterprise Application.
  2. Under Manage, select Provisioning > Attribute Mapping (Preview).
  3. Select Provision Microsoft Entra ID Users.
  4. Click Add New Mapping and configure the following fields:
    FieldValue
    Mapping typeDirect
    Source attributeextension_[APP-ID-NO-HYPHENS]_sunkSshKeys
    Target attributeurn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser:sunkSshKeys
    Match objects using this attributeNo
    Apply this mappingAlways
  5. Click OK, then click Save at the top of the attribute mappings page.

Verify the sync

  1. In Entra, trigger a provisioning cycle (or wait for the next automatic cycle).
  2. In the Cloud Console, navigate to Users, click the three-dot menu next to the target user, and select View Details.
  3. Under Slurm Attributes, confirm the SSH Keys field contains the public key you set in Entra.
If the key does not appear, check the Entra provisioning logs for errors. For more details about verifying SSH keys and configuring SUP, see Provision users in SUNK.

Adjust attribute mappings

Remove the Department attribute

The department attribute in Microsoft Entra can prevent groups from syncing properly with CoreWeave IAM. Before syncing groups, remove this attribute:
  1. Click Enterprise apps, and select the app that represents your CoreWeave integration.
  2. Under the Manage heading on the left menu, select Provisioning > Attribute Mapping (Preview).
  3. Select Provision Microsoft Entra ID Users.
  4. Find the department attribute, and under Remote click Delete.
  5. Navigate to the top of the page and click Save to save your attribute mapping.
This adjustment removes the department attribute from the attribute mapping used for syncing with CoreWeave, but does not change the attribute inside Entra itself.

Sync groups

Nested groups

CoreWeave SCIM does not support nested groups. If you assign a parent Entra group whose Members list includes references to other groups, provisioning fails for those nested group members. To avoid sync errors, use one of the following approaches:
  • Assign only flat (leaf) groups to your Enterprise App. Do not assign parent groups that contain sub-groups.
  • Add a scoping filter on the group provisioning mapping to exclude parent groups.
  • Use an Entra dynamic group to flatten nested memberships into a single flat group before syncing.
  1. Configure a regular Entra group for all the users you want to push to CoreWeave.
  2. Configure regular Entra groups for all the subgroups that you want to represent in the Cloud Console.
  3. For legacy CoreWeave IAM deployments, ensure that your selected Entra groups and subgroups are not named any of the default user groups, or for every push group with the same name as a default user group create a new user group with the appropriate default policies attached.

Legacy default user groups

Legacy CoreWeave IAM deployments automatically provisioned a set of default user groups with specific policies attached. The policies attached to these groups were necessary for operating CoreWeave services. These legacy default user groups included:
  • admin
  • metrics
  • read
  • write
  • billing_viewer
When syncing groups with legacy CoreWeave IAM deployments with SCIM, you must resolve the naming conflict by either avoiding syncing push groups with these names, or for each push group with the same name as a default user group:
  • Create a new user group in CoreWeave IAM with a new preferred name.
  • Assign the policies attached to a default user group. For example, for an administration group use the policies attached to the admin group.
  • Delete the default user group before configuring a push group with the same name.
Last modified on April 24, 2026