How do we set up SCIM provisioning in Coder Premium (group sync / role mapping)?
AI Coding Agent Platforms

How do we set up SCIM provisioning in Coder Premium (group sync / role mapping)?

8 min read

SCIM provisioning in Coder Premium lets you push users, groups, and role mappings from your identity provider (IdP) into Coder so you don’t manage access by hand. Done right, you get consistent access control, fast onboarding/offboarding, and clean audit trails without leaving your infrastructure.

Quick Answer: Coder Premium supports SCIM provisioning from your IdP to automatically create users, sync groups, and map those groups into Coder roles using OIDC group + role sync. You configure SCIM in your IdP, enable it in Coder’s admin settings, and define how IdP groups map to Coder roles (e.g., admin, auditor, developer) so access stays governed and auditable.

Frequently Asked Questions

How does SCIM provisioning work in Coder Premium?

Short Answer: SCIM in Coder Premium lets your IdP act as the source of truth for users and groups, while Coder consumes those SCIM updates and maps groups to roles via OIDC group + role sync.

Expanded Explanation:
Coder is self-hosted on your infrastructure (cloud or air-gapped on‑prem), so your IdP reaches your coderd control plane over your own network, not a vendor SaaS. With SCIM enabled, the IdP can automatically create, update, and deactivate Coder users, and sync group membership. Coder then uses those IdP groups (via OIDC claims) to assign roles like admin, auditor, or standard user.

The result is consistent RBAC enforced where your workspaces actually run—inside your infrastructure. Security teams don’t rely on manual account clean‑up, and platform teams don’t have to hand‑manage access every time someone changes teams or projects.

Key Takeaways:

  • SCIM keeps Coder user and group data aligned with your IdP as the single source of truth.
  • Group membership from the IdP drives role assignments in Coder via OIDC group + role sync and RBAC.

How do we set up SCIM provisioning in Coder Premium end to end?

Short Answer: You configure a SCIM application in your IdP, point it at your Coder SCIM endpoint with an auth token, then enable OIDC group + role sync in Coder and define which IdP groups map to which Coder roles.

Expanded Explanation:
From an operator’s point of view, SCIM setup is about aligning three layers: IdP (users + groups), OIDC (authentication + group claims), and Coder RBAC (roles and permissions). You’ll first stand up Coder with OIDC SSO, then add SCIM so the IdP can push users/groups, and finally configure role mapping so synced groups drive Coder access.

Because Coder is self‑hosted, you must ensure coderd is reachable from your IdP (over HTTPS) and that SCIM traffic stays inside your network boundaries or approved ingress paths. Treat the SCIM bearer token like any other privileged API credential—store it in your secret manager, not in a doc or chat.

Steps:

  1. Confirm OIDC SSO is configured in Coder.
    • In the Coder admin UI, verify OIDC SSO is enabled and log in via your IdP at least once to confirm group claims are available.
  2. Create a SCIM app in your IdP.
    • In Okta/Azure AD/Entra ID/etc., create an “SCIM provisioning” or “SCIM 2.0” application and set the SCIM base URL to your Coder SCIM endpoint (e.g., https://coder.example.com/scim/v2/).
  3. Generate and configure a SCIM token.
    • In Coder’s admin settings, create a SCIM access token.
    • Paste this token into your IdP’s “SCIM Bearer Token / Secret Token” field.
  4. Configure attribute mappings for users and groups.
    • Ensure user attributes (userName, emails, active) map correctly to Coder fields.
    • Enable group provisioning and map group display names or IDs to SCIM group attributes.
  5. Assign users and groups to the SCIM app.
    • In your IdP, assign the relevant users and groups to the Coder SCIM application so the IdP starts provisioning them.
  6. Enable group + role sync in Coder.
    • In Coder admin, enable OIDC group sync and define how incoming IdP groups map to Coder roles (see next question).
  7. Test provisioning and deprovisioning.
    • Trigger “Test Connection” and “Provision User” from your IdP.
    • Verify that the user appears in Coder with the expected groups and role.
    • Deactivate a test user in the IdP and confirm access is disabled in Coder.

What’s the difference between SCIM group sync and role mapping in Coder Premium?

Short Answer: SCIM group sync brings users and groups into Coder from your IdP, while role mapping tells Coder which permissions a synced group should get.

Expanded Explanation:
Think of SCIM as “who exists and which groups they belong to,” and role mapping as “what they’re allowed to do inside Coder.” SCIM does not decide permissions by itself; it just delivers identities and group memberships reliably. Coder’s RBAC engine then uses those groups (from OIDC claims) to attach roles that control actions like managing templates, approving workspaces, or accessing audit logs.

This separation is intentional. Platform and security teams can keep their existing group hierarchy in the IdP, then express “who can do what” in Coder using roles. If your org reorganizes teams, you only adjust group memberships and mappings—no need to manually touch individual accounts in Coder.

Comparison Snapshot:

  • Option A: SCIM group sync
    • Syncs users and groups from the IdP into Coder.
    • Ensures account lifecycle (create/update/deactivate) mirrors the IdP.
  • Option B: Role mapping (RBAC)
    • Maps incoming IdP groups to Coder roles with defined permissions.
    • Controls what users can do once they’re authenticated.
  • Best for: Organizations that want IdP‑driven identities with centralized RBAC in Coder, so onboarding/offboarding and access changes are both automatic and governed.

How do we implement group-based role mapping for Coder Premium?

Short Answer: Decide which IdP groups represent your access tiers, then configure Coder to map those groups to roles like admin, auditor, or standard user using OIDC group + role sync.

Expanded Explanation:
You want a clear, stable contract between IdP groups and Coder roles. Start by naming dedicated groups like coder-admins, coder-platform, coder-developers, and coder-auditors in your IdP—don’t overload existing catch‑all groups if you can avoid it. Then, in Coder, bind those groups to specific roles.

For example, platform engineers in coder-platform might manage templates and infrastructure‑level settings but not global org configuration, while coder-admins can handle org‑wide configuration including SCIM and AI Bridge. coder-auditors might have read‑only access to logs, workspace metadata, and AI Bridge records for compliance review.

What You Need:

  • IdP groups designed for Coder RBAC
    • e.g., coder-admins, coder-platform, coder-developers, coder-auditors.
  • Coder role mapping configuration
    • In the Coder admin UI or configuration file, specify rules like:
      • coder-admins → Coder Admin Role
      • coder-platform → Template/Infra Operator Role
      • coder-developers → Standard User Role
      • coder-auditors → Read‑only/Audit Role

How does SCIM provisioning and role mapping support long-term governance?

Short Answer: SCIM plus group-based role mapping turns Coder into a governed access layer—user lifecycle and permissions track your IdP policies, keeping code, data, and AI usage controlled inside your infrastructure.

Expanded Explanation:
In a real platform environment, the risk isn’t just “can someone log in?”—it’s “who can reach which workspaces, templates, dev URLs, and AI tools, and can we prove it later?” With SCIM provisioning, deactivating an account or changing a group in your IdP reliably updates Coder. With RBAC and role mapping, you can constrain who can change templates, approve workspace types, or configure AI Bridge.

This matters for teams replacing VDI or moving into tightly regulated domains. You centralize access policy in your IdP, enforce it at the Coder control plane, and keep all workspaces on your own infrastructure (AWS, Azure, GCP, or air‑gapped on‑prem). When you enable the AI Governance Add-On, AI Bridge logs prompts, token usage, and tool calls in a way that’s tied back to SCIM‑provisioned identities, so your SIEM pipeline sees a full picture of “who did what, where, and with which tools.”

Why It Matters:

  • Tight lifecycle control: Onboarding is immediate (assign a group, SCIM provisions the user, Coder role mapping grants access), and offboarding is deterministic (remove the user or group, access is revoked).
  • Audited, governed environments: Access to templates, workspaces, dev URLs, and AI Bridge is consistently governed via roles that map back to IdP groups, simplifying accreditation and security reviews across regions and classification levels.

Quick Recap

SCIM provisioning in Coder Premium lets your IdP drive user and group lifecycle, while Coder’s OIDC group + role sync converts those groups into concrete permissions. You self‑host Coder on your infrastructure, expose a SCIM endpoint to your IdP, and define clear mappings from IdP groups to Coder roles so developers, platform engineers, and auditors get the right level of access by default. That combination replaces ad‑hoc account management with consistent, auditable governance over who can reach your remote workspaces and AI tools.

Next Step

Get Started

Back to AI Coding Agent Platforms

Keep Reading

More from AI Coding Agent Platforms

How do I set up Windsurf Teams ($30/user/mo) with centralized billing, admin analytics, and automated zero data retention?

Read more

How do I contact Windsurf about Enterprise pricing, RBAC, and hybrid deployment for 200+ seats?

Read more

How do I add SSO to Windsurf Teams (+$10/user/mo) and what identity providers are supported?

Read more