LogoLogo
  • Overview
    • Introduction
      • Git-Based Source Control
      • DeviceLink
    • System Requirements
    • Supported Vendors and Device Types
    • Glossary
  • Git-Based Source Control
    • Getting Started
      • Planning
      • Initial Setup
        • Migrations
    • Basic Tasks
      • Navigation
        • Home page
        • Exploring the Web App
        • Exploring the Desktop App
      • Configuration
        • Creating Repositories
        • Creating Templates
        • Cloning Repositories
      • Operations
        • Pulling
        • Committing
        • Pushing
        • Managing History
        • Binary & Large Files
    • Advanced Tasks
      • Branching
        • Branch Protections
      • Pull Requests & Code Review
        • Contributors
        • Reviewers
      • Merging
    • Additional Features
      • Topics
      • Issues
        • Milestones
        • Labels
        • References and Links
      • Wiki
      • Tags & Releases
      • Webhooks
      • Activity
    • Administration
      • Org Settings
      • User Management
        • External Identity Management (SSO + SCIM)
      • Teams & Permissions
        • Permissions by Account Type
      • Registration & Billing
      • Repo Settings
      • Desktop App Options
      • Profile and Settings
        • Notifications
        • Two-Factor Authentication (2FA)
    • Supported Vendors
      • ABB
      • Beckhoff
      • B&R Automation
      • CODESYS
      • Inductive
      • Lenze
      • Rockwell
        • RSLogix 500
        • RSLogix 5000
        • Studio 5000 Logix Designer
      • Schneider
        • Control Expert
        • Machine Expert
      • Siemens
        • Siemens Step7 TIA Portal
        • Siemens Step7 5.x
      • WAGO
    • Integrations
      • Discord
      • Jira
      • Microsoft Teams Connectors
      • Slack
      • Zapier
      • Microsoft Teams Workflows
  • DeviceLink
    • Getting Started
      • Architecture
      • Planning & Installation
    • Sites and Agents
      • Sites
        • Site Settings
        • File Lists
        • Graphs and Metrics
      • Agents
        • Creating a Site-Based Agent
        • Creating a Multi-Site Agent
    • Projects and Devices
    • Vendor Configuration
      • Beckhoff TwinCAT 3
      • CODESYS v3
      • Copia FTP
      • Copia sFTP/SCP
      • Copia Scripting
      • FANUC Robots
      • Rockwell RSLogix 500
      • Rockwell Studio/RSLogix 5000
        • Smart Filter
        • FactoryTalk Linx Considerations
      • Schneider Control Expert
      • Siemens Step7 TIA Portal
      • Siemens Step7 5.x
      • Rockwell PanelView ME HMI
    • Jobs
      • Job Navigation
      • Creating Jobs
      • Managing Jobs and History
      • Manual Backups
      • Pull Requests
    • Additional Features
      • Webhooks
      • Copia Import Tool
        • Getting Started
        • Preparing your data
        • Importing your data
        • Rolling back a prior import
    • Administration
      • Teams
      • Permissions
      • Notifications
  • Copilot (Beta)
    • Copia Copilot Beta
    • Getting Started
    • Using Copia Copilot
  • Support
    • Best Practices
    • FAQs
      • Git-Based Source Control
        • Troubleshooting
      • DeviceLink
        • Troubleshooting
Powered by GitBook
On this page
  • Overview
  • SSO
  • Configuration
  • Usage
  • Directory Sync
  • Functionality
  • Configuration
  • Group ↔️ Team Mapping
  • Removing your Identity Provider
  • Just-in-Time (JIT) Provisioning
  • FAQ

Was this helpful?

  1. Git-Based Source Control
  2. Administration
  3. User Management

External Identity Management (SSO + SCIM)

PreviousUser ManagementNextTeams & Permissions

Last updated 15 days ago

Was this helpful?

Overview

For Enterprise-tier customers, Copia supports both Single Sign-On (SSO) and Directory Sync (SCIM). SSO enables users in your organization to sign-in with an external identity provider. Directory Sync (a.k.a. SCIM) enables IT admins to manage user groups and roles in Copia from their external identity provider

Copia supports the following features:

  • User deprovisioning, reprovisioning, and Just-in-time creation via Directory Sync

  • Team creation, deletion, and membership management via Directory Sync

    • If used with Single-Role teams, this provides the ability to map user groups in your identity provider to specific roles in Copia

  • The option to require usage of SSO login for all primary members of your organization.

  • Support and setup guides for over 20 OIDC and SAML Identity Providers including Shibboleth, Okta, OneLogin, Google, and many more.

Please refer to the bottom of this topic for some frequently asked questions

SSO

Configuration

From the home page, click on the teal Settings button to manage the settings for your Organization.

Select the External Identity Management (SSO) section and click on the Manage SSO button.

Copia has partnered with WorkOS to provide a seamless SSO onboarding experience. You'll be redirected to the WorkOS admin portal, where you can walk through the process of setting up your Identity Provider step-by-step.

After you have finished setup, you will see information about your Identity Provider in Copia. By default, all users in the Organization will have to use the Identity Provider during sign in and sign up.

Usage

After configuring SSO, users will see a Sign in with SSO button on the Copia login screen. Clicking on this allows primary members of your organization to sign in with SSO.

Directory Sync

Functionality

Copia supports the following Directory Sync functionality:

  • User Provisioning: When a user is added to the Copia application in your Identity Provider, Copia creates a pending invitation for the user. When the user logs in for the first time via SSO, the user account is created Just-In-Time.

    • If instead a user with the invited email already exists, they are added to your organization as a non-primary member.

  • User Deprovisioning: When the user loses access to the Copia application in the Identity Provider (e.g. because the user's Identity Provider account was deleted), the Copia user account is deprovisioned (primary members) or removed from your organization (non-primary members).

    • If the user is re-granted access to Copia in the Identity Provider, the user is automatically reprovisioned in Copia.

  • Team creation/deletion (optional): When you grant or revoke access to the Copia application for a Group in the Identity Provider, a team with the same name will be created or deleted in Copia.

  • Team membership sync (optional): When a user is added to or removed from a Group in your Identity Provider, the user will be automatically added to / removed from the Group's associated Copia team.

    • If you combine this functionality with Single-Role teams, you can assign users to specific roles in Copia by assigning them to Groups that correspond to those roles.

Configuration

You must set up SSO before you can set up Directory Sync.

Once SSO is configured, you'll see a description of Directory Sync, along with a button allowing you to set it up:

Clicking Manage Directory Sync takes you to the WorkOS Directory Sync portal, which will walk you through the steps to set up Directory Sync:

Group ↔️ Team Mapping

After setting up Directory Sync, you have the option to enable group ↔️ team mapping. This will enable the team creation/deletion and team membership sync features described in Functionality. When enabled, user and team management will be controlled exclusively from your Identity Provider.

You will not be able to manually add or remove users to your organization or specific teams in your organization, other than the Owners team.

Even with team sync enabled, the "Owners" team is managed within the Copia app, and cannot be synchronized from the Identity Provider. This is because the "Owners" team has special permissions in Copia.

When using Group Mapping, Copia recommends the use of Single-Role teams to maximize your ability to control access to Copia resources from your identity provider. If you enable both of these features, you can control a user's access level in Copia simply by assigning them to a group in your Identity Provider.

If you do not use Single-Role teams, users will be assigned Read access to their mapped teams, and team admins will have to set each team member's permissions on an individual basis

Removing your Identity Provider

If you want to remove SSO and Directory Sync from your Organization, click the Delete Identity Provider button in the Delete Identity Provider Connection section.

Be careful when deleting your Identity Provider. Copia does not collect a password for users who sign up with SSO, so some users in your organization may be unable to sign in until a new Identity Provider is added.

Just-in-Time (JIT) Provisioning

If you set up Directory Sync, Copia will receive updates when you add users to the Copia application in your Identity Provider. When these users attempt to register for an account or sign in with SSO, they will be redirected to your Identity Provider to log in. Upon successful login, an account will be created for them and they will be added to your organization.

It is still recommended to send users an email invite in order to set up their permissions in the app before they join. Users in your organization who receive an email invite will be redirected to SSO during account creation.

FAQ

  • Does this feature support self-hosted systems?

    • There are different SSO options for self-hosted systems. Please contact Copia for more information.

  • Does Copia support user lifecycle management (provisioning/deprovisioning) via SCIM?

    • Yes! See the Directory Sync section

  • Does Copia support mapping groups and roles from my Identity Provider to Copia?

    • Yes! See the Group ↔️ Team Mapping section

  • Does Copia support Just-In-Time user provisioning without Directory Sync?

    • No, you must set up Directory Sync in order to enable Just-In-Time user creation

The Directory Sync settings, highlighting the Team Mapping option