All Collections
Enterprise Plan
Setting up SSO
Multiple workspaces with SSO and SCIM
Multiple workspaces with SSO and SCIM

Configuring SCIM and SAML SSO to scale with multiple Zeplin workspaces

Rian avatar
Written by Rian
Updated over a week ago

Using SAML and SCIM with only one workspace is very straightforward. Following our SSO Setup Guides will configure one Zeplin workspace that will use one IdP app for both authentication and user management.

โ˜๏ธ This feature is only available to teams on the Enterprise Plan.

When you have multiple workspaces, SAML and SCIM require a different configuration. SAML support to multiple workspaces is simply a simply a matter of entering the same SAML configuration information into all of the workspace configurations in Zeplin. When you do this, any member of those workspaces will immediately have access to your IdP for authentication, without any changes needed to the app configuration on the IdP.

SCIM integration with multiple workspaces, on the other hand, needs the IdP to have a unique app per workspace, so each of your workspaces can have their own list of members. Using the one SAML IdP app for all your workspaces would work for you as long as you want every workspace to have the same list of members.

For most enterprises with multiple workspaces, we recommend setting up your IdP and Zeplin workspaces in a slightly more advanced way, then following the SCIM setup per workspace as described in the SSO Setup Guides.

A Scalable Model for Multiple Workspace Configuration

Assuming the requirements are:

In Zeplin:

  • two (at least) workspaces, called workspaceOne and workspaceTwo

In the Enterprise:

  • An IdP - e.g. Okta, Azure - that handles the login process for your users

  • A SCIM client - often the same as the Idp, e.g. Okta - that handles user account management

  • A backend directory system - e.g. Microsoft Active Directory - that has groups that define which users belong in which workspace

Desired outcome:

  • Updating the backend group - including where a user is removed from the directory system altogether - triggers SCIM to handle Workspace membership on both workspaces

  • All users authenticate by SSO to the company IdP

  • Adding a third workspace would be trivial

Steps

Configure a single IdP app for all SAML, and one additional IdP app ( technically, a SCIM client app) for each Workspace, and tie them together with the directory system.

  1. Create a directory group to list the users who are members of workspaceOne (called, say, groupOne)

  2. Create a second directory group to list the users who are members of workspaceTwo (called, say, groupTwo)

  3. Create an app in your IdP to handle Zeplin SSO (the "SAML app"). Configure with a SAML configuration, but no SCIM

    1. IdP app membership is groupOne and groupTwo

    2. Configure the SAML section into both workspaceOne and workspaceTwo

  4. Create an app in your IdP as the SCIM Client for workspaceOne's membership

    1. IdP app membership is groupOne only

    2. Configure the SCIM section to integrate with this app in workspaceOne

  5. Create an app in your IdP as the SCIM Client for workspaceTwo's membership

    1. IdP app membership is groupTwo only.

    2. Configure the SCIM section to integrate with this app in workspaceTwo

In this way, all user management is initiated from the directory groups, all users will use the same IdP integration for authentication over SAML, and adding a workspace in the future will only require adding a new SCIM-client app to the IdP and assigning a new directory group to the new app and the SAML app.

Migrating an Existing Enterprise to Multiple SCIM Workspaces

The above steps are great if you are setting up multiple workspaces for SCIM from scratch. If you are adding SCIM or looking to migrate your configuration to be more scalable, then Zeplin recommend the migration steps given here, to avoid any downtime or user impact.

Situation 1: One IdP app, one or more Zeplin workspaces (SAML only)

This is almost the same as the steps given above. Users will continue to use SAML/SSO to log on, but SCIM will be handled by new IdP apps. No user impact or outage.

  • The current IdP app will be the "SAML app".

  • Create a new IdP app as the SCIM Client app for each workspace, each with it's own directory group.

  • Replace the current "everyone" directory group on the SAML app with each of the new directory groups

  • Edit each Zeplin workspace:

    • No changes needed to the SAML section

    • When ready to implement SCIM on a given workspace, configure the workspace's SCIM section to integrate to the appropriate SCIM Client IdP app and enable SCIM in the IdP SCIM Client app to populate the workspace.

Situation 2: One IdP app, one or more Zeplin workspaces with SCIM enabled

This will require removing SCIM from the current IdP app integration first. To avoid any user impact, the existing IdP app will be used for SAML only, so no configuration changes are required on IdP or on Zeplin for authentication.

  • Disable SCIM in the current IdP app on the IdP.

  • Create a new IdP app as a SCIM Client app for each workspace, each with it's own directory group. Do not enable SCIM just yet!

  • Replace the current "everyone" directory group on the SAML app with each of the new directory groups

  • Edit each Zeplin workspace:

    • No changes needed to the SAML section

    • Change SCIM section to integrate to the individual SCIM Client IdP app

    • Enable SCIM in the IdP SCIM Client app to resume synchronisation in this workspace.

More help

If you need further help, please reach out to your account manager, or send an email to success@zeplin.io.

Did this answer your question?