User import and synchronization
This functionality is currently available for Okta and Microsoft Entra ID.
If you use Okta or Microsoft Entra ID as an authentication and identity provider in your organization, you can configure import of users and group synchronization with IDE Services. This feature allows you to keep IDE Services in line with the identity provider, ensuring that employees have the appropriate access based on their position in the organizational structure.
As a prerequisite, make sure that you have Okta configured as an OAuth 2.0 provider for your server.
Open the Okta Admin Console in your browser and log in using your Okta account.
From the main menu, select Directory | Groups. There, you can create new groups or view the details of existing ones.
Copy and save identifiers of the groups you want to import. For this purpose, click the name of a specific group and find its identifier in the URL. For example, in this URL
https://exampletenant.okta.com/admin/group/00g5j4jojlGZMzfhM697
, the group ID is00g5j4jojlGZMzfhM697
.
In the Okta Admin Console, go to Security | API and navigate to the Tokens tab.
Click Create token.
In the dialog that opens, provide a token name and click Create token.
Copy and save the generated value.
Add the following configuration to your server configuration file:
application.yamlvalues.yaml (Helm)tbe: users: import: enabled: true provider: 'okta' activate-provisioned-users: true url: 'https://exampletenant.okta.com' token: 'SSWS <APItoken_value>' schedule: '0 */10 * * * *' mapping: groups: - '<groupID1>' - '<groupID2>' admin-groups: ['<groupID1>']
ides: config: configCustomization: { tbe: users: import: enabled: true provider: 'okta' activate-provisioned-users: true url: 'https://exampletenant.okta.com' token: 'SSWS <APItoken_value>' schedule: '0 */10 * * * *' mapping: groups: - '<groupID1>' - '<groupID2>' admin-groups: ['<groupID1>'] }
For more details, refer to User import.
Start your IDE Services Server.
note
While mapped IdP groups are imported and appear in IDE Services as soon as the IDE Services Server is restarted, the users within these groups will only be imported after their initial login to the IDE Services organization. This means a user from an imported IdP group will not be visible in IDE Services until they log in for the first time.
As a prerequisite, make sure that you have Microsoft Entra ID configured as an OAuth2 provider for your server.
Open the Microsoft Entra admin center in your browser and log in using your account.
Go to Identity | Applications | App registrations and open the IDE Services application overview.
From the menu on the left, select API permissions.
Click Add a permission. Then select Microsoft Graph | Application permissions.
Find and add the following application permissions:
Group.Read.All
,GroupMember.Read.All
,User.Read.All
.
In the Microsoft Entra admin center, navigate to Identity | Groups | All groups. There, you can create new groups or view the details of existing ones.
Copy and save identifiers of the groups you want to import. For this purpose, click the group name to view its details and copy the value of the
Object ID
Add the following configuration to your server configuration file:
application.yamlvalues.yaml (Helm)tbe: users: import: enabled: true provider: 'entra' url: 'https://graph.microsoft.com' login-max-delay: 2s schedule: '0 */15 * * * *' mapping: groups: - '<object_id_of_group1>' - '<object_id_of_group2>' admin-groups: ['<object_id_of_group1>']
ides: config: configCustomization: { tbe: users: import: enabled: true provider: 'entra' url: 'https://graph.microsoft.com' login-max-delay: 2s schedule: '0 */15 * * * *' mapping: groups: - '<object_id_of_group1>' - '<object_id_of_group2>' admin-groups: ['<object_id_of_group1>']
For more details, refer to User import.
Start your IDE Services Server.
note
While mapped IdP groups are imported and appear in IDE Services as soon as the IDE Services Server is restarted, the users within these groups will only be imported after their initial login to the IDE Services organization. This means a user from an imported IdP group will not be visible in IDE Services until they log in for the first time.
IDE Services periodically checks and synchronizes user and group details with the identity provider. The synchronization schedule depends on the value of the tbe.users.import.schedule
property set in your server configuration file.
In case you need to synchronize the information faster, you can initiate the process manually:
In the IDE Services Web UI, navigate to the Users page.
In the top right corner of the screen, click Synchronize users.
tip
This action is also available from the profile details page.
Thanks for your feedback!