CodeSignal admins can configure SCIM user provisioning using the Identity Provider (IdP) of their choice, including custom IdPs. This will allow you to create, update, and deactivate accounts. Unfortunately, SCIM groups are not supported at this time.
This article describes how to configure SCIM user provisioning for a custom or less commonly-used IdP. Please refer to one of the articles below if you are using Okta or OneLogin for your IdP:
Prerequisites
Before you can provision external users into your account, you should have single sign-on (SSO) already configured for your CodeSignal account. Instructions for configuring SSO are here:
Step 1: Retrieve your Bearer Token from CodeSignal
- Log in to your company's CodeSignal account. You will need to be a CodeSignal admin to complete this step!
- Click MY COMPANY SETTINGS in the drop-down menu in the top right of your screen.
- In the SSO tab, check to make sure Enable SSO is toggled on.
- Navigate to the User Provisioning tab and toggle on Enable SCIM. Then, click the blue CREATE button to generate a SCIM Token. Copy this token to use in Step 2.
- In the Default Role drop-down menu, choose the default role you'd like to be assigned to new users: Interviewer, Manager, or Company Admin.
Step 2: Enable SCIM API integration in your IdP
You will need the following information to enable the SCIM API integration in your IdP:
- We support SCIM v1 and v2
- SCIM Base URL:
https://app.codesignal.com/api/scim/v1
orhttps://app.codesignal.com/api/scim/v2
(SCIM v1 and v2 correspondingly).- For the sandbox environment, the URLs will contain
sandbox.codesignal.com
instead ofapp.codesignal.com
.
- For the sandbox environment, the URLs will contain
- The supported SCIM attributes are
emails
,name.givenName
andname.familyName
Step 3: Check the email address format in your IdP
CodeSignal uses the email address of a user for identification. That means that the email address attribute for a user should match between SAML SSO and the SCIM user provisioning in your IdP.
Check to make sure that your IdP's username is set to a value that indicates the primary email of the user.
Step 4: Import and assign users
If available in your IdP, we recommend importing and assigning existing CodeSignal users into your IdP. This will fetch existing users from CodeSignal and allow you to automatically add or assign them to existing users in your IdP.
Note that users added to CodeSignal will need to accept an invitation email before they can start using the platform. This is done to protect user privacy and ensure that users are not unintentionally added to a company to give them a chance to confirm before applying company authentication restrictions to their account.
Additionally, note that all new users added to CodeSignal will be assigned the Interviewer role. You can adjust their role from your CodeSignal dashboard once they accept the invitation.
Step 5: Configure owned email domains
In the SSO tab of your company settings in CodeSignal, you will see a section called Owned Email Domains. To add your company's domain (or additional domains) to this list, please contact support@codesignal.com.
Owned email domains are verified as belonging to your company. User accounts with these emails will be automatically created on CodeSignal without requiring confirmation from the users.
Note: Once your SCIM Bearer Token expires, you will receive this automated email:
Any company admin can renew the SCIM token. However, this typically is someone in your IT team. Your IT admin should only click on renew when they are ready to change. This is because CodeSignal might reject any requests that are coming from your identity provider when the most current token is not set up yet. When they are ready to change the token, they can click on renew under My Company Settings > User Provisioning, and configure your identity provider to use the new token immediately. Most companies have either an IT department or someone who is in charge of all administrations of IdP software - so whoever set it up for them initially would be the best person to refresh/renew it for them.
Questions? Email support@codesignal.com