Requires Enterprise Plans

Enabling SAML SSO and SCIM requires the team to be on Enterprise Cloud or Server plans. Please reachout to your account manager (or) sales@deepsource.io for a demo.

SAML SSO

Configuring SAML SSO on Okta

For now, an admin (on Okta) needs to create a custom SAML integration for DeepSource Enterprise. The steps for which are as given:

  1. On the left sidebar, choose “Applications” → “Applications”, and click on “Create App Integration”.
  2. Choose “SAML 2.0” and click “Next”.
  1. Fill in the following details:
FieldValue
App NameDeepSource
  1. Assuming that DeepSource is hosted on-premise at https://deepsource.foobar.com, fill in the following details accordingly:

If you’re on DeepSource Enterprise Cloud, replace https://deepsource.foobar.com with https://app.deepsource.com

FieldValues
Single sign on URLhttps://deepsource.foobar.com/saml2/acs/
Audience URI (SP Entity ID)https://deepsource.foobar.com/saml2/metadata/
Name ID formatEmailAddress (choose from drop down)
Application usernameEmail (choose from drop down
  1. In “Attribute Statements”, add the following:
FieldName formatValue
first_nameBasicuser.firstName
last_nameBasicuser.lastName
  1. Under Feedback selection, choose:

    1. For “Are you a customer or partner?”, choose “I am an Okta customer, adding an internal app”.
    2. App type: check the box — This is an internal app that we have created. Otherwise, Okta will ask for many other fields. Click on “Finish”.
  2. On the next screen, go to the “SAML Signing Certificates” section. Copy the link for “Identity Provider Metadata” by clicking on Actions -> View IdP metadata for the “SHA-2 Type” certificate. It should be in the format: https://<customer>.okta.com/app/<app-slug>/sso/saml/metadata.

Configuring SAML SSO on DeepSource

Refer to:

SCIM Provisioning

Configuring SCIM on Okta

  1. To Enable SCIM Provisioning, select DeepSource application, then go to General → App Settings → Edit and turn on Enable SCIM provisioning.
  1. Click on the Provisioning tab, under SCIM Connection, click on Edit and configure the given parameters.
FieldValues
SCIM connector base URLhttps://deepsource.foobar.com/scim/v2/
Unique identifier field for usersemail
Supported provisioning actionsPush New Users, Push Profile Updates, Push Groups
Authentication ModeHTTP Header
Authorization bearer tokenSCIM Authentication token which you have put in replicated console (kotsadm)

If you’re on DeepSource Enterprise Cloud, use the following values instead of the values defined above.

FieldValues
SCIM connector base URLhttps://app.deepsource.com/scim/v2/
Unique identifier field for usersemail
Supported provisioning actionsImport New Users and Profile Updates, Push New Users, Push Profile Updates
Authentication ModeHTTP Header
Authorization bearer tokenSCIM Authentication token generated from DeepSource
  1. Click on Test Connector Configuration to verify SCIM connection.

  2. Click on Save to apply the settings.

  3. After the integration is saved successfully, go to To App option on the left sidebar under Settings inside Provisioning.

  4. Enable the following options:

    • Create Users
    • Update User Attributes
    • Deactivate Users

    and, click on Save.

Configuring SCIM on DeepSource Server (Self hosted)

On enabling SCIM for DeepSource Server, user accounts and their relation with groups will automatically be synced between your SCIM provider and DeepSource Enterprise Server Control Panel.

To learn more about how groups help you manage your DeepSource Enterprise installation better, please refer to our User management documentation.

How to setup SCIM

In order to take benefit from SCIM, there is an initial setup (see SCIM Provisioning above) that has to be performed before moving ahead with the steps on this page.

Assigning members

Please refer to the Okta documentation for help on how to assign users to an application.

On assigning users, they will be synced with your DeepSource Enterprise installation regardless of whether they are a part of a group or not.

This is the preferred way of syncing high-level users who should always have access to the DeepSource Enterprise installation regardless of their group memberships.

Assigning groups

Please refer to the Okta documentation for help on how to assign groups to an application.

The users from the assigned group will be immediately synced with your DeepSource Enterprise installation. But, to sync the groups and their memberships to the DeepSource Enterprise installation, an additional step of “Group push” is required.

Enable group push

Please refer to the Okta documentation for help on how to enable group push.

Pushing a group from Okta will create the group and their memberships in DeepSource Enterprise installation.

Removing groups

Please refer to the Okta documentation for help on how to remove a push group.

A user account will be marked as Inactive on your DeepSource Enterprise installation if the sole group that the user was associated with is removed.

Deactivate and delete users

Please refer to the Okta documentation for help on how to deactivate and delete user accounts

Deactivating or deleting a user in Okta will also revoke their access from your DeepSource Enterprise installation and mark them as Inactive.

FAQs & Troubleshooting

  • Why can’t I manage Okta synced groups and users from DeepSource?

    DeepSource Enterprise admins can create groups on DeepSource Enterprise installation and invite users to them. But when SCIM provisioning is enabled, the groups and users which are synced with Okta can no longer be edited on DeepSource Enterprise installation. The admin must update them from Okta.

  • What if I assign new users to DeepSource Enterprise installation from Okta and there are no free seats available?

    Okta will fail to push a new user and an error will be displayed on Okta:

To retry the task once your license has been upgraded, please follow these steps.

  • How do I re-enable SCIM after I disabled it?

    If SCIM is disabled, you can manage the group from DeepSource Enterprise installation; i.e you can add and remove users to the group from the DeepSource Enterprise control panel.

    In order to re-enable SCIM, ensure the initial setup is done and then perform a Push now. This will overwrite your DeepSource Enterprise installation groups with the data in Okta.

  • What happens if I want to push a Group with the same name as a preexisting group on DeepSource?

    On pushing a group, its membership will be pushed immediately. The group membership which was configured on the DeepSource Enterprise installation will be overwritten.