Using SAML and SCIM with only one workspace is very straightforward. Following our SSO Setup Guides will configure one workspace to authenticate to one IdP app for authentication and user management.

Integrating the SAML login to a second workspace is simply a matter of entering the same SAML configuration information into the workspace configuration in Zeplin - and any member of either workspace will immediately have access to your IdP for authentication. The second workspace can have slightly different rules - such as re-authentication periods - but no changes are needed to the app configuration on the IdP. When the rules differ for a particular user, Zeplin will automatically enforce the stricter ones.

Usually, different Workspaces will have different memberships. Since SCIM will need to update each workspace independently, there needs to be a separate SCIM integration per workspace, but still have a single SAML integration, on the IdP.

A Scalable Model for Configuration

Assuming the requirements are:

In Zeplin:

  • two Workspaces, called workspaceOne and workspaceTwo

Company:

  • One IdP - e.g. Okta, Azure - that handles the login process for your users

  • One SCIM client - e.g. Okta - that handles user account management

  • A backend directory system - e.g. Microsoft Active Directory - that has groups that define which users belong in which Workspace

Desired outcome:

  • Updating the backend group - including where a user is removed from the system altogether - triggers SCIM to handle Workspace membership on both workspaces

  • All users authenticate by SSO to the company IdP

  • Adding a third workspace would be trivial

Steps

  1. Create a directory group with membership of users for workspaceOne (groupOne)

  2. Create a directory group with membership of users for workspaceTwo (groupTwo)

  3. ´╗┐Create an App in your IdP to handle Zeplin SSO. Configure with a SAML configuration, but no SCIM

    1. SAML configurations copied into both Zeplin workspaces workspaceOne and workspaceTwo

    2. IdP app membership is groupOne and groupTwo

  4. Create an App in your IdP for workspaceOne membership

    1. SCIM configuration integration with workspaceOne

    2. IdP app membership is groupOne only.

  5. Create an App in your IdP for workspaceTwo membership

    1. SCIM configuration integration with workspaceTwo

    2. IdP app membership is groupTwo only.

In this way, all user management is initiated from the directory groups, all users will use the same IdP integration, and adding a workspace in the future will only require adding a new app to the IdP, assigning the appropriate directory groups configuring for SCIM.

Did this answer your question?