SCIM
SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning.
Overview
Once enabled, Admins will not be able to manage users from within Linear as they will be kept up to date through your identity provider.
Configure
Enable and test
- Navigate to Settings > Administration > Security.
- Under the "Authentication" section, click Configure next to "SAML & SCIM".
- Toggle the option to enable SCIM
- Click "View configuration" to get your SCIM base connector URL and Bearer Auth token. Keep these values at hand as you will need them to configure SCIM in your Identity provider.
- In the Okta admin pages, open the Linear application you have for SAML 2.0
- In the General tab, click Edit and choose SCIM in the Provisioning section and Save
- In the Provisioning tab, enter the SCIM Base connector URL you generated from Linear
- For the Unique identifier field for users section enter email
- For Supported provisioning actions you can enable "Import New Users and Profile Updates", "Push New Users" and "Push Profile Updates."
- For Authentication mode field, choose HTTP Header and enter your Bearer token generated from Linear. You can now test the configuration and save
- In OneLogin's Admin panel > Applications, click Add App
- Search for the "SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)" app and add
- Click on the Configuration tab and add your SCIM base URL and Bearer token
- Click on the Provisioning tab and Enable Provisioning
- Save your App
Group push
Linear's SCIM integration also supports group push. From your side all you have to do is start pushing groups from your Identity provider to Linear. These will then map 1:1 with teams in Linear.
If you want to link an existing team to a Group, you will first have to import groups from Linear and then choose an existing team when setting up a specific group push.
Once a team is linked to a Group, managing team membership is accomplished through your identity provider and not in Linear directly.
Disabling SCIM
Once SCIM is disabled on Linear side:
- SCIM requests coming from your Identity provider will be rejected on Linear side.
- Any possible team that was linked to a Group will be unlinked.
- All SCIM restrictions will stop being enforced.
This does mean that if SCIM is re-enabled on Linear side, if any possible changes that happened on your Identity provider will have to be pushed again to Linear. Refer to your Identity provider documentation for more information on accomplishing this.
FAQ
SCIM is available on Business+ and Enterprise plan. If you are interested in upgrading to the Enterprise plan, contact us.
We don't support provisioning roles. We recommend provisioning them as a member and then converting them to a guest afterwards in the Linear settings > members page.