SCIM user management - Temporal Cloud feature guide

SUPPORT, STABILITY, and DEPENDENCY INFO

This feature is in Pre-release. Only Okta is currently supported as your upstream IDP.

Preparing for SCIM

Before starting your work with SCIM, you'll need to complete this checklist:

1. Configure SAML SSO.
2. Ensure that critical traffic is configured to authenticate using mTLS or API keys attached to Temporal Cloud accounts. This ensures that Workflows will continue uninterrupted if there is any problem with your integration.
3. Decide on your Okta administrator, who is responsible for configuring and managing your SCIM integration. Specify their contact details when you reach out to support in the next stage of this process.

After completing these steps, you're ready to submit your support ticket to enable SCIM.

Onboarding with SCIM and Okta

1. Temporal Support enables the SCIM integration on your account. Enabling integration automatically emails a configuration link to your Okta administrator. This authorizes them to set up the integration.
2. Your Okta administrator opens the supplied link. The link leads to step-by-step instructions for configuring the integration.
3. Once configured in Okta, Temporal Cloud will begin to receive SCIM messages and automatically onboard and offboard the users and groups configured in Okta.

Some points to note:

• User and group change events are applied within 10 minutes of them being made in Okta.
• User lifecycle management with SCIM also allows user roles to be derived from group membership.
• Once a group has been synced in Temporal Cloud, you can use tcld to assign roles to the group. For instructions, see the User Group Management page.