SCIM & Organization-Key Scoped API Routes

via organization scoped api keys, you can administer projects, users, and project/organization memberships (see rbac docs https //docs abv dev/role based access controls in abv ) you can use these endpoints to automate project and user management on your abv organization this documentation covers organization management apis, scim compliant user provisioning endpoints, and includes a comprehensive guide for setting up okta authentication and user provisioning with abv authentication authenticate with the api using basic auth https //en wikipedia org/wiki/basic access authentication organization scoped api keys can be created via the organization management api organization management api or in the organization settings within the abv ui example curl u public key\ api key https //app abv dev/api/public/projects/{projectid}/apikeys organization management all applicable endpoints are marked with (requires organization scoped api key) those include the following routes post /api/public/projects put /api/public/projects/{projectid} delete /api/public/projects/{projectid} get /api/public/projects/{projectid}/apikeys post /api/public/projects/{projectid}/apikeys delete /api/public/projects/{projectid}/apikeys/{apikeyid} put /api/public/organizations/memberships get /api/public/organizations/memberships put /api/public/projects/{projectid}/memberships delete /api/public/projects/{projectid}/memberships user management via scim in addition, we implement the following scim https //datatracker ietf org/doc/html/rfc7642 compliant endpoints use /api/public/scim as the base uri for them to create a new user within abv, you can use the scim style endpoints and post /users this will create a new user if the email does not exist yet then it will add the user to the organization with role none afterward, the role can be updated using the membership endpoints either on an organization or a project level (see above) to remove a user from an organization, call the delete /users/{id} endpoint this will not delete the user itself, only its membership with the organization you can either supply an initial password for users via the api and share it with them, or use single sign on (sso) to authenticate users in the latter case, you need to abv configure an enterprise sso provider ( docs ) the following scim endpoints are available get /serviceproviderconfig get /resourcetypes get /schemas get /users post /users get /users/{id} delete /users/{id} okta setup guide this guide will cover how to setup okta authentication and user provisioning for abv authentication and provisioning are two separate steps in okta follow the one that is applicable to your use case authentication for authentication, abv supports the openid connect (oidc) https //openid net/connect/ protocol this allows you to use okta as an identity provider for abv to set up okta authentication, follow these steps create an okta application log in to your okta admin console navigate to applications > create app integration choose oidc openid connect as the sign in method and click next choose web application as the application type and click next fill in the application settings use one of the abv domains app name abv login redirect uris https //your abv domain dev/api/auth/callback/okta logout redirect uris https //your abv domain dev/ click save setup abv please reach out to the abv support team at support\@abv dev to configure okta sso once the sso is configured, you can type in your email on the sign in page and are automatically redirected to okta test the integration assign users to your okta application and test the login flow for any issues, please contact support user provisioning for user provisioning, abv supports the scim 2 0 protocol to setup user provisioning in okta, follow these steps create a saml/scim application log in to your okta admin console navigate to applications > create app integration choose saml 2 0 as the sign in method and click next fill in the application settings use one of the abv domains app name abv scim single sign on url https //your abv domain dev/api/auth/callback/okta audience uri abv click next and then finish configure scim settings in the general tab, set provisioning to scim in the provisioning tab, edit your scim connection enter your credentials scim connector base url https //your abv domain dev/api/public/scim unique identifier field for users username supported provisioning actions import new users and profile updates , push new users , push profile updates basic auth username use a public key from your organization settings basic auth password use a private key from your organization settings test the api credentials and press save configure provisioning in the provisioning tab, enable the following options create users update user attributes deactivate users click save add default user permissions (optional) in the provisioning tab, go to the profile editor and add a new roles attribute data type string array display name abv roles variable name roles external name roles external namespace urn\ ietf\ params\ scim\ schemas\ core 2 0\ user attribute members none , viewer , member , admin attribute type personal in the provisioning tab, modify the roles attribute to set default permissions for new users you can set it for all users of the application to provide a default set it to "none", "viewer", "member", or "admin" assign users navigate to the assignments tab click assign > assign to people select the users you want to assign to the abv scim application you can overwrite the role here click done and then save users should appear as member within your abv organization