Skip to main content
This is available on the Enterprise Plan. Contact Kolena if you’re not on an Enterprise plan but would like to try this feature.
You can automate user provisioning and deprovisioning in Kolena through your Organization’s identity provider with SCIM (System for Cross-domain Identity Management). This guide covers enabling SCIM, configuring groups, mapping roles, and managing users. Kolena supports SCIM integration with the following identity providers:
  • Okta
  • Entra ID (Azure AD)
  • Google Workspace
  • CyberArk
  • JumpCloud
  • OneLogin
  • PingFederate
  • Rippling

Prerequisites

  • You must have admin access to your Kolena Organization
  • You must have admin access to your Organization’s identity provider

Step 1: Configure Groups in your Identity Provider

In your identity provider’s admin console, create groups for the users you intend on syncing with Kolena. We recommend setting up a group for Organization admin users, plus separate groups that correspond to each Kolena Workspace and role. Example Group Names: Assuming that there are two Workspaces on Kolena named “Data Science” and “Engineering”, you might create the following groups:
  • app-kolena-organization-admin (for Organization admin users)
  • app-kolena-data-science-admin (for admin users in the “Data Science” Workspace)
  • app-kolena-data-science-editor (for editor users in the “Data Science” Workspace)
  • app-kolena-data-science-viewer (for viewer users in the “Data Science” Workspace)
  • app-kolena-engineering-admin (for admin users in the “Engineering” Workspace)
  • app-kolena-engineering-editor (for editor users in the “Engineering” Workspace)
  • app-kolena-engineering-viewer (for viewer users in the “Engineering” Workspace)

Add Users to Groups

Within your identity provider, assign users to the appropriate groups based on their desired permissions in Kolena.

Step 2: Enable SCIM on Kolena

  1. Sign in to Kolena
  2. Click “Manage Organization” from your user profile or navigate to your Organization page
  3. Click the “SCIM” button
  4. Click the “Connect SCIM Provider” button to open a new tab with the connection steps
  5. Follow the prompts to connect Kolena to your identity provider (e.g., Okta, Entra ID, Google Workspace). This typically involves generating an API key or OAuth token depending on your provider

Assign Organization Roles

The next step in the connection process will be assigning user roles to your groups. For user groups that should have Organization admin privileges, assign the admin role. All other groups can be left unassigned for now, as their Workspace roles will be set later. In the example above, you would assign admin role to app-kolena-organization-admin so that users in that group are granted Organization admin privileges in Kolena.
You can always change these role mappings by returning to Kolena and clicking the “Manage SCIM Integration” button which will take you back to the connection page in a new tab

Verify Connection

After enabling SCIM, you should see a confirmation message indicating a successful connection and that your groups are being synced.

Assign Workspace Roles

Once the groups are synced into Kolena, you need to assign Workspace roles to each group so that the Users receive the correct permissions within each Workspace.
  1. Sign in to Kolena
  2. Click “Manage Organization” from your user profile or navigate to your Organization page
  3. Click on “Organization” and locate the desired Workspace, e.g. “Data Science”
  4. Click the “Roles” button under “User Access”, then click “Assign Roles”
  5. Select the appropriate group from the dropdown and assign the corresponding role, e.g. app-kolena-data-science-editor as editor
  6. Repeat for all Groups and Workspaces
If a user is in multiple groups, they are granted the highest permission level out of their groups

Understanding User Synchronization

Once SCIM is enabled, user synchronization between your identity provider and Kolena happens automatically. However, there are some important aspects to understand about the synchronization process.

Initial Sync

When you first enable SCIM with groups pre-populated with users, Kolena will sync all group members.

Ongoing Sync

Changes to group membership (e.g., adding or removing users) in your identity provider are synced automatically. Kolena’s sync interval is approximately 1 minute, but your identity provider may introduce additional delays (up to 30 minutes or more) before sending events.
Important Notes
  • If users don’t appear in Kolena after adding them to a group. Check sync frequency on your identity provider. For example, Google Cloud Identifier defaults to 30 minutes for sync frequency
  • Any changes to users on the Kolena platform side will not be reflected back to your identity provider