External Identity Management (SSO + SCIM)

Overview

For Enterprise-tier customers, Copia supports both Single Sign-On (SSO) and Directory Sync (SCIM). SSO enables users in your organization to sign-in and sign-up with an external identity provider. Copia's support for Directory Sync (a.k.a. SCIM) enable IT admins to control user access to Copia from their external identity provider.

Copia supports the following features:

• User deprovisioning, reprovisioning, and Just-in-time creation via Directory Sync

• The option to require usage of SSO login for all primary members of your organization.

• Support and setup guides for over 20 OIDC and SAML Identity Providers including Shibboleth, Okta, OneLogin, Google, and many more.

SSO

Configuration

From the Dashboard, click on the teal Settings button to manage the settings for your Organization.

Select the External Identity Management (SSO) section and click on the Manage SSO button.

Copia has partnered with WorkOS to provide a seamless SSO onboarding experience. You'll be redirected to the WorkOS admin portal, where you can walk through the process of setting up your Identity Provider step-by-step.

After you have finished setup, you will see information about your Identity Provider in Copia. By default, all users in the Organization will have to use the Identity Provider during sign in and sign up.

Usage

After configuring SSO, users will see a Sign in with SSO button on the Copia login screen. Clicking on this allows primary members of your organization to sign in with SSO.

Directory Sync

Functionality

Copia supports the following Directory Sync functionality:

• When a user is given access to Copia from the Identity Provider, Copia either:

  • Adds the user to your organization as a non-primary member, if the user already exists.

  • Creates a pending org invitation for the user, if the user doesn't exist. The user is created as a primary member upon first SSO sign-in.

• When the user's access to Copia is removed from the Identity Provider (e.g. because the user's Identity Provider account was deleted), the Copia user account is deprovisioned (primary members) or removed from your organization (non-primary members).

  • If the Identity Provider subsequently restores the user's access to Copia, the user is reprovisioned in Copia automatically.

Configuration

One SSO is configured, you'll see a description of Directory Sync, along with a button allowing you to set it up:

Clicking Manage Directory Sync takes you to the WorkOS Directory Sync portal, which will walk you through the steps to set up Directory Sync:

Removing your Identity Provider

If you want to remove SSO and Directory Sync from your Organization, click the Delete Identity Provider button in the Delete Identity Provider Connection section.

Just-in-Time (JIT) Provisioning

If you set up Directory Sync, Copia will receive updates when you add users to the Copia application in your Identity Provider. When these users attempt to register for an account or sign in with SSO, they will be redirected to your Identity Provider to log in. Upon successful login, an account will be created for them and they will be added to your organization.

FAQ

• Does this feature support self-hosted systems?

  • There are different SSO options for self-hosted systems. Please contact Copia for more information.

• Does Copia support user lifecycle management (provisioning/deprovisioning) via SCIM?

  • Yes! See the docs above for more details

• Does Copia support Just-In-Time user provisioning without Directory Sync?

  • No, you must set up Directory Sync in order to enable Just-In-Time user creation

• Can I manage my Copia team memberships via Directory Sync user groups?

  • No, at this time Copia only supports user lifecycle management via Directory Sync.