You can automate user provisioning and deprovisioning in Kolena through your organization’s identity provider with SCIM (System for Cross-domain Identity Management). This guide covers enabling SCIM, configuring groups, mapping roles, and managing users. Kolena supports SCIM integration with the following identity providers:

  • Okta
  • Entra ID (Azure AD)
  • Google Workspace
  • CyberArk
  • JumpCloud
  • OneLogin
  • PingFederate
  • Rippling

Prerequisites

  • Your Kolena organization must be part of the Enterprise plan
  • You must have admin access to your Kolena organization
  • You must have admin access to your organization’s identity provider

Step 1: Configure Groups in your Identity Provider

In your identity provider’s admin console, create groups for the users you intend on syncing with Kolena. We recommend setting up separate groups that correspond to each Kolena role (user, editor, and admin). See here to view a full breakdown of these roles.

Example Group Names:

  • app-kolena-user (for user roles)
  • app-kolena-editor (for editor roles)
  • app-kolena-admin (for admin roles)

Add Users to Groups

Assign users to the appropriate groups based on their desired permission levels in Kolena.

Step 2: Enable SCIM on Kolena

  1. Sign in to Kolena
  2. Click “Manage Organization” from your user profile or navigate to your organization page
  3. Locate the “Users” section
  4. Click the “Add SCIM Integration” button
  5. Click the “Connect SCIM Provider” button to open a new tab with the connection steps
  6. Follow the prompts to connect Kolena to your identity provider (e.g., Okta, Entra ID, Google Workspace). This typically involves generating an API key or OAuth token depending on your provider

Assign Roles

The final step when going through the connection process will be assigning user roles to your groups. Assign the appropriate role to each group. Users will be synced to Kolena with the role that matches their group.

Important Notes

  • You can always change these role mappings by returning to Kolena and clicking the “Manage SCIM Integration” button which will take you back to the connection page in a new tab
  • Groups without an explicit role will have their users defaulted to the user role when synced with Kolena
  • If a user is in multiple groups, they are granted the highest permission level out of their groups

Verify Connection

After enabling SCIM, you should see a confirmation message indicating a successful connection and that your groups are being synced.

Understanding User Synchronization

Once SCIM is enabled, user synchronization between your identity provider and Kolena happens automatically. However, there are some important aspects to understand about the synchronization process.

Initial Sync

When you first enable SCIM with groups pre-populated with users, Kolena will sync all group members.

Ongoing Sync

Changes to group membership (e.g., adding or removing users) in your identity provider are synced automatically. Kolena’s sync interval is approximately 1 minute, but your identity provider may introduce additional delays (up to 30 minutes or more) before sending events.

Important Notes

  • If users don’t appear in Kolena after adding them to a group. Check sync frequency on your identity provider. For example, Google Cloud Identifier defaults to 30 minutes for sync frequency
  • Any changes to users on the Kolena platform side will not be reflected back to your identity provider