Provision users automatically

  • Public preview
  • Enterprise only

Configure XBOW to manage user provisioning and XBOW access for single sign-on (SSO) users.

Prerequisites

Choose a user provisioning method

  1. Open the XBOW administration menu and select SSO.

    Screenshot of the organization administration drop-down menu, showing options for Audit Events, Members, SSO, and Webhooks

  2. In the sidebar, click Provisioning to show the options.

  3. Choose a provisioning method for users:

    • JIT (Just in time): create users when they log in to XBOW for the first time using SSO.
    • SCIM: synchronize users and groups from your IdP to XBOW, independently of login. Choose SCIM if you want to provision and deprovision users without waiting for them to sign in, or if your IdP already manages user lifecycles centrally.

Set up SCIM provisioning and mapping

If you choose SCIM provisioning for users, you need to synchronize users from your IdP to XBOW before you can map user groups to roles.

Provision users

  1. In the “Provisioning” section, copy the “SCIM Endpoint” URL from XBOW.
  2. In your IdP, open the SCIM provisioning settings for the XBOW application you created during SSO setup. Paste the URL into a “SCIM base URL” (or equivalent) field.
  3. In XBOW, define a token name then click Create token to generate a token for your IdP to use to access the XBOW SCIM endpoint.
  4. In the SCIM provisioning settings for the XBOW application, paste the new token into the “Bearer token” field (sometimes labeled “API token” or “Secret token”).
  5. Finish setting up SCIM in your IdP.
  6. Set your IdP to synchronize users with XBOW.

Map SCIM groups to XBOW roles

  1. In the “Provisioning” section, a list of the user groups defined in your IdP is displayed.

    If you see a message “No groups synced yet”, trigger synchronization to XBOW in your IdP.

  2. Select each group in turn and assign it an XBOW role.

  3. Optional. Define a Default role for users whose groups do not match any rule. If you omit a default role, users without a matching group cannot access the organization.

  4. When you have finished assigning roles, click Save role mapping.

Set up JIT provisioning and mapping

If you choose JIT provisioning for users, you need to add the names of user groups to XBOW manually. Ensure that each group name matches the name your IdP will report when a user logs in using SSO.

  1. In the “Provisioning” section, add a rule mapping each IdP group that you want to provision to an XBOW role.
  2. Optional. Define a Default role for users whose groups do not match any rule.
  3. When you have finished assigning roles, click Save role mapping.

Note: If you do not define a default role, users without a matching group cannot access the organization. When they try to access Console with SSO, the behavior depends on the SSO configuration:

  • OIDC connection: user is logged in but has no access to the organzation.
  • SAML: the error "No account found for this email address" is displayed.