Manage your IdP group catalog
Seqera maintains a per-organization catalog of identity provider (IdP) groups. The catalog populates the IdP Group dropdown on the team form, so organization owners can select a group when delegating a team. The catalog is independent of user activity and groups appear as soon as they're synced or entered, before any user has signed in.
Use the table below to choose the path that fits your IdP.
| IdP | Recommended path | Setup guide |
|---|---|---|
| Okta | SCIM push | SCIM provisioning with Okta |
| Entra ID | SCIM push | SCIM provisioning with Entra ID |
| Google Workspace | Manual entry | Manual entry for Google Workspace |
| Keycloak | Manual entry | Manual entry for Keycloak |
| Other | SCIM push if your IdP supports SCIM 2.0 group provisioning; otherwise manual entry. | — |
SCIM push
If your IdP supports SCIM 2.0 group provisioning, Platform exposes a per-organization SCIM endpoint that the IdP can push to. Group create, rename, and delete events flow through automatically, and the catalog stays in sync without administrator intervention.
To set up SCIM:
- Open Organization settings and select Manage single sign-on, then Group mapping.
- Copy the SCIM endpoint URL and the generated bearer token.
- Configure these values in your IdP's SCIM provisioning settings.
- Trigger an initial sync from the IdP.
After the sync completes, the catalog displays every group your IdP shared, and the IdP Group dropdown on the team form is populated.
Treat the SCIM bearer token like a password. It grants write access to your organization's group catalog. If the token is compromised, rotate it immediately using Generate new token in the Group mapping panel. The previous token is revoked atomically.
Manual entry
If your IdP doesn't support SCIM group sync, populate the catalog by entering group identifiers manually. The value to enter depends on your IdP. See the per-IdP guides for the format and where to find it.
To add a group manually:
- Open Organization settings and select Manage single sign-on, then Group mapping.
- Select Add group manually.
- Enter the group identifier exactly as it appears in your IdP's
groupsclaim. The form links to per-IdP guidance. - Select Save.
To delete a manually-entered group, select Delete on its row. If any delegated team references the group, its members are immediately purged and a warning indicates that the team has lost its source of membership.
A manually-entered group is automatically promoted to SCIM-managed if your IdP later pushes the same group via SCIM. The promotion happens in place, the catalog row is reused, and any delegated teams that reference it continue to work without interruption. After promotion, the row's lifecycle is fully driven by SCIM, and the manual Delete action is no longer available; the row is removed when your IdP issues a SCIM DELETE.
What happens when a catalog entry is removed
When a group is removed from the catalog by SCIM DELETE, manual deletion, or IdP-side rename detection, Platform does the following synchronously:
- The catalog row is removed.
- Every delegated team that referenced the group has its delegation-driven members purged. The team's other settings (name, workspace assignments, role) are preserved.
- An orphaned-team warning appears in the Group mapping panel, listing the affected teams. To restore the team's membership, set its IdP Group field to a different group, or clear the field to convert the team back to manual management.