Self-hosted dev workspaces with SSO (OIDC) + SCIM + RBAC + audit logs — what are the top options?

Most teams don’t realize how hard it is to get all of this in one place—self-hosted dev workspaces, OIDC SSO, SCIM, granular RBAC, and auditable logs—until security and compliance start asking pointed questions. You can hack together SSH bastions and VDI, but if you can’t define environments as code, govern identity centrally, and trace who did what and when, the platform won’t survive its first serious audit.

Quick Answer: The strongest self-hosted options that combine governed dev workspaces with SSO (OIDC), SCIM, RBAC, and audit logs are: Coder, GitHub Codespaces Enterprise with self‑hosted runners, GitLab Remote Development, JetBrains Space On‑Prem, and secure Kubernetes + VS Code Remote setups built with tooling like DevPod or custom Terraform. Among these, Coder is the only one that is both fully self-hosted (no vendor‑managed control plane) and explicitly designed around Terraform-defined workspaces plus audited AI agent usage.

---

Frequently Asked Questions

What should I look for in a self-hosted dev workspace platform with real governance?

Short Answer: You want a platform that keeps code and data inside your infrastructure, uses OIDC SSO + SCIM for identity, enforces fine‑grained RBAC, and emits detailed audit logs for both humans and AI agents.

Expanded Explanation:
Most “remote dev” tools optimize for convenience: spin up a cloud VM, open a browser IDE, call it a day. That falls apart the moment you have to prove who accessed what, from where, and under which policy—and it completely breaks in air‑gapped or classified environments. For serious governance, you need a control plane you self-host (cloud or on‑prem), a clean identity story (OIDC SSO, SCIM, and group sync), and workspaces defined as code so you can standardize OS images, tools, and network policies.

The missing piece in many stacks is observability: platform and security teams need audit logs that show workspace lifecycle events, access decisions, and—if you’re running AI coding agents—prompt, tool, and token usage. Without that, you can’t answer basic incident-response questions or meet accreditation requirements.

Key Takeaways:

• Self-hosting the control plane is non‑negotiable if you care about keeping source code, data, and model context inside your environment.
• Terraform-defined workspaces plus OIDC SSO, SCIM, RBAC, and audit logs give platform teams repeatability and security teams the traceability they need.

---

How does Coder implement OIDC SSO, SCIM, RBAC, and audit logs for self-hosted dev workspaces?

Short Answer: Coder runs as a self-hosted control plane (coderd) on your infrastructure, integrates with your IdP using OIDC SSO and SCIM, enforces RBAC and dev URL access levels, and records auditable logs of workspace activity and AI Bridge usage.

Expanded Explanation:
Coder treats dev environments as governed infrastructure, not as disposable VMs. Workspaces are defined via Terraform templates, so platform teams standardize images, network segments, storage, and quotas. Developers and approved AI coding agents then self‑provision workspaces in seconds—from those templates—on Kubernetes or VMs across AWS, Azure, GCP, or on‑prem.

On the identity side, Coder plugs into your OpenID Connect provider for SSO. SCIM provisioning keeps users and groups in sync, and RBAC plus OIDC-group mapping lets you control who can create which workspaces, who can edit templates, and who can administer the platform. Access to dev URLs is governed with policy levels (e.g., public, authenticated, or internal-only) so you’re not accidentally exposing preview environments to the internet.

The AI Bridge component runs inside coderd and proxies calls to your configured LLM providers (OpenAI, Claude, Gemini, and others). It captures prompts, responses, token usage, and tool invocations with configurable retention and structured logging, so AI agent behavior is auditable alongside human activity.

Steps:

1. Deploy coderd on your infrastructure

   • Install via Helm chart into Kubernetes or deploy as services/VMs in your cloud or air‑gapped environment.
   • Point Coder at your compute clusters (Kubernetes, VMs) where workspaces will run.

2. Integrate identity and access control

   • Configure OIDC SSO with your IdP (Okta, Azure AD, Auth0, etc.) and enable SCIM for user/group sync.
   • Map IdP groups to Coder roles using RBAC and, where needed, custom roles to align with your internal duty separation.
   • Configure dev URL access levels to restrict who can reach workspace endpoints.

3. Define and govern workspaces as Terraform

   • Create Terraform-based templates describing workspace images, resource limits, networks, and IDE options (VS Code Remote, JetBrains Gateway, Jupyter, Cursor/Windsurf, etc.).
   • Publish “golden path” templates for languages, services, and AI coding agents; enforce quotas and idle-stop policies for cost control.
   • Enable AI Bridge and set retention flags/env vars (for example, CODER_AIBRIDGE_ENABLED=true and appropriate --aibridge-retention values) so AI usage is logged and queryable by security.

---

How does Coder compare to GitHub Codespaces, GitLab Remote Development, JetBrains Space, and DIY Kubernetes setups?

Short Answer: Coder is fully self-hosted and Terraform-centric with explicit AI governance; Codespaces, GitHub-hosted dev containers, and JetLab/GitLab SaaS offerings rely on a vendor control plane; JetBrains Space On‑Prem and DIY Kubernetes setups can be self-hosted but require more custom work for Terraform integration and AI auditability.

Expanded Explanation:
When you evaluate options, you’re really trading off between control and convenience. Vendor-hosted solutions like GitHub Codespaces and GitLab SaaS simplify setup, but your source code and dev data live in someone else’s infrastructure, and their audit model is what you’re stuck with. That’s a hard pass for many regulated teams.

Self-hosted options (Coder, JetBrains Space On‑Prem, GitLab Self‑Managed with Remote Development, or bespoke Kubernetes + VS Code Remote) keep the control plane and data in your environment but vary in how much they give you “out of the box” versus what you need to build yourself—especially around Terraform-defined workspaces and AI agent governance.

Coder’s niche is clear: it’s not your Git host, not CI/CD, not IaC. It orchestrates governed dev workspaces and AI coding agents on top of your existing Git and pipeline systems. That separation is exactly what large orgs want: keep GitHub/GitLab/Bitbucket as‑is, drop Coder in as the dev workspace layer, and wire everything into your existing IdP, SIEM, and network policies.

Comparison Snapshot:

• Coder (self-hosted control plane)
  • Self-hosted (cloud or air‑gapped on‑prem), Terraform-defined workspaces on VMs/Kubernetes.
  • OIDC SSO, SCIM, RBAC, dev URL access levels, AI Bridge with auditable LLM usage.
  • Works with VS Code, JetBrains Gateway, Jupyter, Cursor, Windsurf; keeps code and context inside your infrastructure.
• GitHub Codespaces + self-hosted runners
  • Vendor-hosted control plane; dev containers in GitHub’s cloud (unless running very constrained self-hosted scenarios).
  • OIDC SSO via Entra/SSO, some RBAC and audit logs, but model is tied to GitHub tenancy and data residency.
  • Limited options for air‑gapped or classified deployments; no first‑class AI audit layer focused on coding agents.
• Best for: Teams that require full control over infrastructure, identity, and AI usage auditing should bias toward Coder or self-hosted GitLab/Space; teams that prioritize tight GitHub integration over strict data residency often pick Codespaces.

---

How do I actually implement a governed, self-hosted dev workspace stack end‑to‑end?

Short Answer: Stand up a self-hosted control plane (like Coder) in your cloud or on‑prem, wire it to your IdP via OIDC and SCIM, define Terraform-based workspace templates, and feed all audit logs (workspace + AI) into your central SIEM.

Expanded Explanation:
Operationally, the hardest part is not spinning up a VM; it’s creating a system that’s repeatable, debuggable, and provable to auditors. In practice, that means your platform team owns a central remote-dev control plane, each workspace is derived from version-controlled templates, and access is mediated through SSO with clear roles. From there, you push all logs—workspace lifecycle, access decisions, AI agent prompts and tool use—into whatever pipeline your security team already trusts.

For a platform engineer, the win is twofold: you replace brittle snowflake laptops and expensive VDI farms with defined‑as‑code workspaces, and you keep security off your back because everything is observable and bounded. From the developer’s seat, the experience is simple: “log in with SSO, choose a template, open your IDE, start coding.”

What You Need:

• Control plane + identity integration

  • A self-hosted remote dev platform such as Coder, GitLab Remote Dev (self-managed), or Space On‑Prem.
  • OIDC SSO configured against your IdP; SCIM or equivalent for user and group provisioning; RBAC mapped to your org’s roles.

• Template-driven workspaces + logging

  • Terraform or similar to define standard workspace types (languages, services, resource classes, AI agent configs).
  • Centralized logging hooked into your SIEM to capture workspace events, auth logs, AI Bridge logs, and network policy hits.

---

How do these choices impact security, compliance, and long‑term platform strategy?

Short Answer: A self-hosted, Terraform-driven workspace platform with OIDC SSO, SCIM, RBAC, and full audit logs lowers accreditation friction, shrinks your attack surface, and gives you a sustainable way to scale both human developers and AI coding agents.

Expanded Explanation:
Security and compliance care about boundaries, ownership, and evidence. When dev workspaces run as governed resources on your infrastructure, you remove an entire class of risk: source code and sensitive data no longer live on laptops or in a vendor’s cloud tenancy. You can enforce network boundaries (no egress where it’s forbidden), keep model prompts out of external logs, and prove all of that with structured logging.

Strategically, platforms built this way scale better. Onboarding shrinks from days/weeks of laptop setup to seconds; organizations running Coder report 4x faster onboarding and up to 90% reduction in VDI costs. Teams like Skydio have cut cloud compute costs by roughly 90% by right‑sizing workspaces and enforcing idle policies centrally. When AI coding agents become “just another workspace consumer” governed by the same RBAC and audit mechanisms, you don’t need a separate shadow stack to make AI safe.

Why It Matters:

• Security and accreditation: Self-hosted control planes, centralized code storage, OIDC SSO, and auditable AI usage make it far easier to pass reviews for US/EU government and other regulated sectors.
• Operational efficiency: Terraform-defined workspaces, fast self-service provisioning, and data staying inside your environment let platform teams standardize once and scale across clouds, clusters, and teams without trading away control.

---

Quick Recap

If you need self-hosted dev workspaces with OIDC SSO, SCIM, RBAC, and audit logs, focus on platforms that keep the control plane and data in your infrastructure, define workspaces as code, and emit detailed logs for both humans and AI agents. Coder stands out by combining Terraform-defined workspaces, self-hosted deployment (including air‑gapped), OIDC/SCIM/RBAC integration, and AI Bridge governance in one stack, while options like GitHub Codespaces, GitLab Remote Development, JetBrains Space, and DIY Kubernetes setups trade off control vs. integration and how much you have to build yourself.

Next Step

Get Started