Using SAML and SCIM with only one workspace is very straightforward. Following our SSO Setup Guides will configure one workspace to authenticate to one IdP app for authentication and user management.
Integrating the SAML login to a second workspace is simply a matter of entering the same SAML configuration information into the workspace configuration in Zeplin - and any member of either workspace will immediately have access to your IdP for authentication. The second workspace can have slightly different rules - such as re-authentication periods - but no changes are needed to the app configuration on the IdP. When the rules differ for a particular user, Zeplin will automatically enforce the stricter ones.
Usually, different Workspaces will have different memberships. Since SCIM will need to update each workspace independently, there needs to be a separate SCIM integration per workspace, but still have a single SAML integration, on the IdP.
A Scalable Model for Configuration
Assuming the requirements are:
two Workspaces, called workspaceOne and workspaceTwo
One IdP - e.g. Okta, Azure - that handles the login process for your users
One SCIM client - e.g. Okta - that handles user account management
A backend directory system - e.g. Microsoft Active Directory - that has groups that define which users belong in which Workspace
Updating the backend group - including where a user is removed from the system altogether - triggers SCIM to handle Workspace membership on both workspaces
All users authenticate by SSO to the company IdP
Adding a third workspace would be trivial
Create a directory group with membership of users for workspaceOne (groupOne)
Create a directory group with membership of users for workspaceTwo (groupTwo)
Create an App in your IdP to handle Zeplin SSO. Configure with a SAML configuration, but no SCIM
SAML configurations copied into both Zeplin workspaces workspaceOne and workspaceTwo
IdP app membership is groupOne and groupTwo
Create an App in your IdP for workspaceOne membership
SCIM configuration integration with workspaceOne
IdP app membership is groupOne only.
Create an App in your IdP for workspaceTwo membership
SCIM configuration integration with workspaceTwo
IdP app membership is groupTwo only.
In this way, all user management is initiated from the directory groups, all users will use the same IdP integration, and adding a workspace in the future will only require adding a new app to the IdP, assigning the appropriate directory groups configuring for SCIM.