Configure SCIM provisioning

This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana documentationbreadcrumb arrow Set upbreadcrumb arrow Configure securitybreadcrumb arrow Configure SCIM provisioning
Grafana Cloud Enterprise RSS

Configure SCIM provisioning

System for Cross-domain Identity Management (SCIM) is an open standard that allows automated user provisioning and management. With SCIM, you can automate the provisioning of users and groups from your identity provider to Grafana.

Note

Available in Grafana Enterprise and Grafana Cloud Advanced.

Note

This feature is behind the enableSCIM feature toggle. You can enable feature toggles through configuration file or environment variables.

For more information, refer to the feature toggles documentation.

Benefits

Note

SCIM provisioning only works SAML authentication. Other authentication methods aren’t supported.

SCIM offers several advantages for managing users and teams in Grafana:

  • Automated user provisioning: Automatically create, update, and disable users in Grafana when changes occur in your identity provider
  • Automated team lifecycle management: Automatically create teams when new groups are added, update team memberships, and delete teams when groups are removed from your identity provider
  • Reduced administrative overhead: Eliminate manual user management tasks and reduce the risk of human error
  • Enhanced security: Automatically disable access when users leave your organization

Authentication and access requirements

When you enable SCIM in Grafana, the following requirements and restrictions apply:

  1. Use the same identity provider: You must use the same identity provider for both authentication and user provisioning. For example, if you use Azure AD for SCIM, you must also use Azure AD for authentication.

  2. Authentication restrictions:

    • Users attempting to log in through other methods (LDAP, OAuth) will be blocked
    • By default, users who are not provisioned through SCIM cannot access Grafana
    • You can allow non-SCIM users by setting allow_non_provisioned_users = true

  3. Exceptions: Users with Basic Auth credentials and those using their Grafana Cloud accounts can still log in regardless of these restrictions.

Configure SCIM in Grafana

The table below describes all SCIM configuration options. Like any other Grafana configuration, you can apply these options as environment variables.

SettingRequiredDescriptionDefault
user_sync_enabledYesEnable SCIM user provisioning. When enabled, Grafana will create, update, and deactivate users based on SCIM requests from your identity provider.false
group_sync_enabledNoEnable SCIM group provisioning. When enabled, Grafana will create, update, and delete teams based on SCIM requests from your identity provider. Cannot be enabled if Team Sync is enabled.false
allow_non_provisioned_usersNoAllow non SCIM provisioned users to sign in to Grafana.false

Warning

Team Sync Compatibility:

  • SCIM group sync (group_sync_enabled = true) and Team Sync cannot be enabled simultaneously
  • You can use SCIM user sync (user_sync_enabled = true) alongside Team Sync
  • For more details about migration and compatibility, see SCIM vs Team Sync

Example SCIM configuration

ini 
[auth.scim]
user_sync_enabled = true
group_sync_enabled = false

Supported identity providers

The following identity providers are supported:

How it works

The synchronization process works as follows:

  1. Configure SCIM in both your identity provider and Grafana
  2. Your identity provider sends SCIM requests to the Grafana SCIM API endpoint
  3. Grafana processes these requests to create, update, or deactivate users and teams, and synchronize team memberships

Comparison with other sync methods

Grafana offers several methods for synchronizing users, teams, and roles. The following table compares SCIM with other synchronization methods to help you understand the advantages:

Sync MethodUsersTeamsRolesAutomationKey BenefitsLimitationsOn-PremCloud
SCIM⚠️FullComplete user and team lifecycle management with automatic team creationRequires SAML authentication; uses Role Sync for basic roles
Team Sync⚠️PartialSyncs team memberships to existing teamsRequires manual team creation; no team lifecycle management
Active LDAP SyncFullBackground synchronization of LDAP usersLimited to LDAP environments
Role SyncFullFull automation of basic role assignmentLimited to basic roles only
Org Mapping⚠️FullFull automation of basic role assignment per organizationLimited to basic roles only; on-premises only⚠️

Key advantages

  • Comprehensive user and team automation: SCIM provides full automation for user and team provisioning, while role management is handled separately through Role Sync
  • Dynamic team creation: Teams are created automatically based on identity provider groups
  • Near real-time synchronization: Changes in the identity provider are reflected based on the provider synchronization schedule
  • Enterprise-ready: Designed for large organizations with complex user management needs

Next steps