Migrate from manual user management to SCIM
Migrating from manual user management to SCIM (System for Cross-domain Identity Management) lets your identity provider (IdP) automatically provision, update, and deprovision Harness users. This guide walks you through the migration for Okta and Azure AD (Entra ID) without disrupting existing user access.
Overview
SCIM automates user lifecycle management in Harness. Instead of manually adding and removing users, your IdP pushes changes to Harness automatically. This is especially valuable when you:
- Have a growing team and need to scale user onboarding.
- Want to enforce consistent access policies across tools.
- Need to ensure offboarded employees lose Harness access immediately.
- Are required to meet compliance standards for user provisioning.
Before you begin
Make sure you have the following before starting the migration:
- Harness Account Admin access to configure SCIM tokens and manage users.
- IdP admin access (Okta or Azure AD) to configure SCIM applications and assign users.
- A list of existing Harness users and their email addresses. Export this from Harness under Account Settings > Access Control > Users.
- Identify which Harness user groups map to IdP groups. Document the mapping before you start.
- Confirm that user email addresses in your IdP match the email addresses in Harness exactly. Mismatches cause duplicate accounts.
Back up your current user and group assignments before starting. Screenshot or export the current role bindings and group memberships so you can verify nothing is lost after migration.
Migration steps for Okta
Step 1: Create the SCIM application in Okta
- In the Okta Admin Console, go to Applications > Applications and search for Harness in the catalog.
- Add the Harness SCIM application.
- In the Harness app settings, go to the Provisioning tab and select Configure API Integration.
- Generate a SCIM token in Harness under Account Settings > Access Control > API Keys > + API Key > SCIM. Copy the token.
- Paste the SCIM token into Okta and test the connection.
- Enable the provisioning features you need: Create Users, Update User Attributes, and Deactivate Users.
Step 2: Assign existing users to the Okta app
- In Okta, go to the Harness application's Assignments tab.
- Assign the users (or groups) that already exist in Harness. Make sure email addresses match exactly.
- When you assign users that already exist in Harness, Okta "takes over" management of those users via SCIM without recreating them.
Step 3: Push groups (optional)
- Go to the Push Groups tab in the Okta Harness application.
- Select Push Groups and choose the IdP groups to push to Harness.
- If a Harness user group with the same name already exists, Okta links to it rather than creating a duplicate.
Step 4: Verify user access
- In Harness, go to Account Settings > Access Control > Users and confirm that migrated users show the SCIM provisioning source.
- Have a few users log in to verify their access and role assignments are intact.
- Check that group memberships in Harness match the expected IdP group mappings.
Go to Provision users with Okta SCIM for detailed Okta SCIM setup instructions.
Migration steps for Azure AD (Entra ID)
Step 1: Register the SCIM enterprise application
- In the Azure portal, go to Enterprise applications > New application and search for Harness in the gallery.
- Add the Harness application and navigate to Provisioning.
- Set the provisioning mode to Automatic.
- Generate a SCIM token in Harness under Account Settings > Access Control > API Keys > + API Key > SCIM. Copy the token.
- Enter the Harness SCIM endpoint URL and the token in the Admin Credentials section. Test the connection.
Step 2: Configure attribute mappings
- In the Provisioning > Mappings section, review the default attribute mappings for users and groups.
- Ensure that
emails[type eq "work"].valuemaps to the Harness user email field. This is critical for matching existing users.
Step 3: Assign users and groups
- Go to Users and groups in the Harness enterprise application.
- Assign the users and groups that already exist in Harness. Azure AD matches users by email address during the first provisioning cycle.
- Start the provisioning cycle. Azure AD detects existing users by email and links them rather than creating duplicates.
Step 4: Verify user access
- Monitor the provisioning logs in Azure AD under Provisioning > Provisioning logs for any errors.
- In Harness, confirm that users show the SCIM provisioning source.
- Verify group memberships and role assignments are intact.
Go to Provision users and groups using Azure AD SCIM for detailed Azure AD SCIM setup instructions.
Verify the migration
After completing the migration steps, verify everything is working correctly:
- User count check: Compare the number of active users in Harness with your pre-migration list. No users should be missing.
- Provisioning source: In the Harness Users list, SCIM-managed users display the IdP as their provisioning source.
- Login test: Have representative users from different groups log in and confirm they see the correct projects and resources.
- Group membership: Verify that Harness user groups match the IdP group assignments.
- Role bindings: Confirm that role assignments on resource groups are still intact. SCIM manages users and group membership, not Harness role bindings. Your existing role bindings should be unaffected.
SCIM manages user and group membership only. Role bindings and resource group assignments in Harness are not affected by SCIM provisioning. You still manage roles and permissions in Harness.
Troubleshooting
Duplicate users after migration
If you see duplicate users, the email address in the IdP does not exactly match the email in Harness. To fix this:
- Delete the duplicate user in Harness (the one without existing role bindings).
- Correct the email address in the IdP to match the original Harness user.
- Re-trigger provisioning from the IdP.
Users lost access after migration
If users report losing access:
- Check that the user is still assigned to the Harness application in the IdP.
- Verify that the user's group membership in the IdP maps to the correct Harness user group.
- Confirm that the Harness user group still has the expected role bindings.
Group mapping conflicts
If an IdP group push creates a new Harness user group instead of linking to an existing one:
- The group names may not match exactly (including case sensitivity).
- Delete the newly created group in Harness.
- Rename the IdP group to match the existing Harness group name exactly, then re-push.
SCIM token expiration
SCIM tokens in Harness have an expiration date. If provisioning stops working:
- Generate a new SCIM token in Harness.
- Update the token in your IdP's SCIM application settings.
- Test the connection to confirm it is working.