SCIM

Easily provision a Workspace with your preferred Identity Provider.

Datasaur supports SCIM 2.0 to efficiently provision and sync users within a Workspace. To activate this feature, you must initially connect the Identity Provider through SAML. As indicated on the SAML page, this integration is tightly linked with each Workspace.

Scope

With SCIM connected, Datasaur seamlessly supports the following actions triggered on the Identity Provider:

  1. Register and invite users with desired roles to a Workspace. This can also be achieved in bulk using the push group functionality.

  2. Synchronize user data, specifically for the first name and last name.

  3. Remove users from the Workspace but not deleting the user.

How to Integrate

Configuration is required on both the Datasaur app and the Identity Provider. Configuring only one side of the system will not yield the expected results.

Datasaur App

  1. Go to your Workspace and navigate to Settings > API Keys. Generate a key and save it. This will be used later on the Identity Provider app.

  2. Navigate to SAML & SCIM.

  3. Ensure SAML 2.0 is properly configured.

  4. Click the Enable SCIM button. You can finish with this if you don't intend to use the Group on Okta.

  5. For provisioning users using Groups, click Edit on the Group to role mapping section. Add each group name that will be pushed to Datasaur and set the desired role. Refer to the section below for more details.

    1. Note that you don't have to depend on this feature. You can easily assign user one by one on the Identity Provider without using the group functionality. If you prefer this approach, there is no need to set the mapping. Enabling SCIM on step no. 4 is enough.

Identity Provider

As stated above, configuration on the SCIM is also crucial. Based on the aforementioned dependency, you must first configure SAML properly before configuring the SCIM integration. Please refer to the guide below for a specific Identity Provider example:

Group to Role Mapping

In Datasaur, there are three roles for a Workspace: Admin, Reviewer, and Labeler. To utilize the group feature of SCIM, map your group to their corresponding role. Consider the following example:

  • Admin: Administrator

  • Supervisor: Managing the projects and the assignment.

  • Reviewer: Manager, QA

  • Labeler: Annotator, Data Developer

In this example, you have five groups on the Identity Provider. All users in these five groups will be added to the Workspace with the corresponding role after the configuration is properly set (including the push group).

In cases where a member is in multiple groups, we will coalesce based on the following order: Admin, Reviewer, then Labeler. For example, if John is both in the Administrator and QA groups, John will be an Admin since the Admin (from the Administrator group) is higher than the Reviewer (from the QA group).

Last updated