You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/admin/auth.md
+22Lines changed: 22 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -288,6 +288,28 @@ OIDC provider will be added to the `myCoderGroupName` group in Coder.
288
288
289
289
Some common issues when enabling group sync.
290
290
291
+
#### User not being assigned / Group does not exist
292
+
293
+
If you want Coder to create groups that do not exist, you can set the following environment variable. If you enable this, your OIDC provider might be sending over many unnecessary groups. Use filtering options on the OIDC provider to limit the groups sent over to prevent creating excess groups.
294
+
295
+
```console
296
+
# as an environment variable
297
+
CODER_OIDC_GROUP_AUTO_CREATE=true
298
+
299
+
# as a flag
300
+
--oidc-group-auto-create=true
301
+
```
302
+
303
+
A basic regex filtering option on the Coder side is available. This is applied **after** the group mapping (`CODER_OIDC_GROUP_MAPPING`), meaning if the group is remapped, the remapped value is tested in the regex. This is useful if you want to filter out groups that do not match a certain pattern. For example, if you want to only allow groups that start with `my-group-` to be created, you can set the following environment variable.
304
+
305
+
```console
306
+
# as an environment variable
307
+
CODER_OIDC_GROUP_REGEX_FILTER="^my-group-.*$"
308
+
309
+
# as a flag
310
+
--oidc-group-regex-filter="^my-group-.*$"
311
+
```
312
+
291
313
#### Invalid Scope
292
314
293
315
If you see an error like the following, you may have an invalid scope.