You can use user provisioning and deprovisioning alongside SAML to provision and deprovision users instantly.
Users on Professional plans and above.
Overview
After setting up SAML SSO in Tulip, you may also want to provision and de-provision users in realtime, following the SCIM API. You can set up this behavior after finishing your SAML SSO setup.
Technical requirements
Head to the SCIM tab under the SAML settings page.
There, you will see the following fields related to the Tulip application:
- Tenant URL
- API Key/Secret (Bearer token authentication)
You will need to add these to the metadata about the Tulip application as a "service provider" within your IdP.
Supported features
Tulip supports the following real-time updates via the SCIM API:
- User creation
- Updates to user's name
- User deletion / de-provisioning
User creation
Within your IdP, you control which users have access to the Tulip application.
When Tulip becomes registered as a Service Provider, your IdP will use the SCIM API to provision all users who need access to Tulip. Those users will be created automatically in Tulip with no access to any part of the platform.
After you set up SAML in Tulip, when a user logs in with SAML for the first time, they will be assigned a workspace and role based on your SAML configuration.
Then, when a new user is added to your IdP who should have access to Tulip, they will be immediately provisioned in Tulip with no access to any part of the platform.
Updates to user name
When a user's name is updated in your IdP, or if you modify the order of family name and given name in Tulip's SCIM settings, user names will update in real-time in the Tulip platform.
User deletion / deactivation
The SCIM API uses the term "delete" related to de-provisioning users, but users in Tulip can only be deactivated, not deleted. Tulip expects the "delete user" endpoint to only be used in the case of deprovisioing a users
When the "delete user" endpoint is used for a given user, they will be immediately deactivated in Tulip.