Bigger picture - SCIM between Entra ID and Zitadel
Hi - thank you for working on Zitadel, it's awesome to see all the things being added all the time.
We have some customers that would love to use Entra ID to let their end users sign in to our products.
The idea is to create:
1. a Zitadel organization per customer we have a relationship with (managed by humans).
2. customer sets up creation of users in their Zitadel organisation using SCIM updates from Entra ID - we manually give them an API token with sufficient permissions.
3. we are currently planning to add a bit of custom code that ensures each user in the organization gets the intended roles they have paid for, but it is a cumbersome process.
4. end-user SSO experience:
* click SSO login in our product
* forward the user browser to Zitadel
* There the user clicks the Microsoft button to use Entra ID for login - perform login in Entra ID
* once they return to Zitadel, their paid roles are automatically assigned and they return to the product, their paid roles included in their access token.
On the surface this seems like feasible and maintainable flow to me. Are there simpler alternatives we're missing?
Especially the adding of roles to the SCIM created users is cumbersome. What is the best practice method to add roles to users created via SCIM?
We have some customers that would love to use Entra ID to let their end users sign in to our products.
The idea is to create:
1. a Zitadel organization per customer we have a relationship with (managed by humans).
2. customer sets up creation of users in their Zitadel organisation using SCIM updates from Entra ID - we manually give them an API token with sufficient permissions.
3. we are currently planning to add a bit of custom code that ensures each user in the organization gets the intended roles they have paid for, but it is a cumbersome process.
4. end-user SSO experience:
* click SSO login in our product
* forward the user browser to Zitadel
* There the user clicks the Microsoft button to use Entra ID for login - perform login in Entra ID
* once they return to Zitadel, their paid roles are automatically assigned and they return to the product, their paid roles included in their access token.
On the surface this seems like feasible and maintainable flow to me. Are there simpler alternatives we're missing?
Especially the adding of roles to the SCIM created users is cumbersome. What is the best practice method to add roles to users created via SCIM?
