You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/admin/users/idp-sync.md
+59-4Lines changed: 59 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -304,13 +304,66 @@ Visit the Coder UI to confirm these changes:
304
304
305
305
## Organization Sync (Premium)
306
306
307
-
> Note: In a future Coder release, this can be managed via the Coder UI instead
308
-
> of server flags.
309
-
310
307
If your OpenID Connect provider supports groups/role claims, you can configure
311
308
Coder to synchronize claims in your auth provider to organizations within Coder.
312
309
313
-
First, confirm that your OIDC provider is sending clainms by logging in with
310
+
Viewing and editing the organization settings requires deployment admin permissions (UserAdmin or Owner).
311
+
312
+
Organization sync works across all organizations. On user login, the sync will add and remove the user from organizations based on their IdP claims. After the sync, the user's state should match that of the IdP.
313
+
314
+
You can initiate an organization sync through the CLI or through the Coder dashboard:
315
+
316
+
<div class=”tabs”
317
+
318
+
## CLI
319
+
320
+
Use the Coder CLI to show and adjust the settings.
321
+
322
+
These deployment-wide settings are stored in the database. After you change the settings, a user's memberships will update when they log out and log back in.
1. Update with the JSON payload. In this example, `settings.json` contains the payload:
338
+
339
+
```console
340
+
coder organization settings set org-sync < settings.json
341
+
{
342
+
"field": "organizations",
343
+
"mapping": {
344
+
"product": [
345
+
"868e5b23-dc6e-46ab-be74-a891e9bd784b",
346
+
"cbdcf774-4123-4118-8cd9-b3f502c84dfb"
347
+
],
348
+
"sales": [
349
+
"d79144d9-b30a-555a-9af8-7dac83b2q4ec",
350
+
]
351
+
},
352
+
"organization_assign_default": true
353
+
}
354
+
```
355
+
356
+
Analyzing the JSON payload:
357
+
358
+
| Field | Explanation |
359
+
|:--|:--|
360
+
| field | If this field is the empty string `""`, then org-sync is disabled. </br> Org memberships must be manually configured through the UI or API.|
361
+
| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID. </br> No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. |
362
+
| organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity. </br> If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. |
363
+
364
+
## Dashboard
365
+
366
+
First, confirm that your OIDC provider is sending claims by logging in with
314
367
OIDC and visiting the following URL with an `Owner` account:
