authentik SCIM Provisioning
Available on: Enterprise EditionCloud>= 0.18.0
Sync Users and Groups from authentik to Kestra using SCIM.
Prerequisites
- authentik Account: An account with administrative privileges to configure SCIM provisioning.
- Enable multi-tenancy in Kestra: Tenants must be enabled in Kestra to support SCIM provisioning. You can enable tenants by setting the
kestra.ee.tenants.enabledconfiguration property totrue:
kestra:
ee:
tenants:
enabled: true
As of Kestra version 0.23, Tenants are enabled by default. Please refer to the Migration Guide to assist with upgrading.
Kestra SCIM Setup: Create a New Provisioning Integration
- In the Kestra UI, navigate to the
Administration→IAM→Provisioningpage. - Click on the
Createbutton in the top right corner of the page. - Fill in the following fields:
- Name: Enter a name for the provisioning integration.
- Description: Provide a brief description of the integration.
- Provisioning Type: Currently, only SCIM 2.0 is supported — leave the default selection and click
Save.
The above steps will generate a SCIM endpoint URL and a Secret Token that you will use to authenticate authentik with the SCIM integration in Kestra. Save those details, as they will be needed in the next steps.
The endpoint should look as follows:
https://your_kestra_host/api/v1/your_tenant/integrations/integration_id/scim/v2
The Secret Token will be a long string (approximately 200 characters) used to authenticate requests from authentik to Kestra.
Enable or Disable SCIM Integration
Note that you can disable or completely remove the SCIM Integration at any time. When an integration is disabled, all incoming requests to that integration endpoint will be rejected.
At first, you can disable the integration to configure your authentik SCIM integration, and then enable it once the configuration is complete.
IAM Role and Service Account
When creating a new Provisioning Integration, Kestra will automatically create two additional objects:
- Role
SCIMProvisionerwith the following permissions:GROUPS:CREATE,READUPDATE,DELETEUSERS:CREATE,READ,UPDATEBINDINGS:CREATE,READ,UPDATE,DELETE
- Service Account with an API Token which was previously displayed as a Secret Token for the integration:
Why the SCIMProvisioner role doesn't have the DELETE permission for USERS? This is because you cannot delete a user through our SCIM implementation. Users are global and SCIM provisioning is per tenant. When we receive a DELETE query for a user, we remove their tenant access but the user itself remains in the system.
authentik SCIM 2.0 Setup
Configuring SCIM 2.0 follows a process similar to SSO — you'll need to create a new Application. Then, in the second step, select SCIM as the Provider Type.
In the Protocol settings section, enter the URL and Secret Token obtained from Kestra.
If you are running authentik on a Mac machine with docker-compose installer, make sure to replace localhost in your Kestra's SCIM endpoint with host.docker.internal since otherwise the sync won't work. Your URL should look as follows: http://host.docker.internal:8080/api/v1/dev/integrations/zIRjRAMGvkammpeLVuyJl/scim/v2.
Test both SSO and SCIM by adding users and groups
First, create Users and Groups in the Directory settings.
Then assign your user(s) to an existing group.
You can set a password for each authentik user to allow them to log in directly to Kestra with their username/email and password.
Once groups and users are created, they should be visible in the Kestra UI under the IAM → Users and Groups sections. It’s best to log in as the default admin user and attach the desired Role to each group to ensure that the users have the necessary permissions.
Then, to verify access, log in as one of those new authentik users in a separate browser or incognito mode and verify that the user has the permissions you expect.
Additional Resources
Was this page helpful?