> ## Documentation Index
> Fetch the complete documentation index at: https://sentrydocs.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# SSO & SCIM

> Configure single sign-on and automated user provisioning

Single Sign-On (SSO) lets your team authenticate to Sentry using your existing identity provider instead of managing separate passwords. SCIM extends SSO by automatically provisioning and deprovisioning members in Sentry when you add or remove them in your IdP.

<Note>
  SSO requires the **Business plan** or higher. SAML2-based SSO (required for SCIM) is included in the Business plan. GitHub and Google OAuth providers are available on lower tiers.
</Note>

## Supported identity providers

<CardGroup cols={3}>
  <Card title="Okta" icon="shield">
    Full SAML2 and SCIM support
  </Card>

  <Card title="Azure AD / Microsoft Entra" icon="microsoft">
    Full SAML2 and SCIM support
  </Card>

  <Card title="Auth0" icon="lock">
    SAML2 support
  </Card>

  <Card title="OneLogin" icon="key">
    SAML2 support
  </Card>

  <Card title="Google Workspace" icon="google">
    OAuth2 support
  </Card>

  <Card title="GitHub" icon="github">
    OAuth2 support
  </Card>
</CardGroup>

## Setting up SSO

<Steps>
  <Step title="Open Auth settings">
    Go to **Settings > Auth**. You'll see a list of available authentication providers.
  </Step>

  <Step title="Choose your provider">
    Click **Configure** next to your identity provider. If you're using SAML2, Sentry will display the metadata values you need to configure on your IdP side:

    * **Entity ID** (also called Issuer or Audience URI)
    * **ACS URL** (Assertion Consumer Service URL)
    * **Single Logout URL**

    Copy these values into your IdP's SAML application configuration.
  </Step>

  <Step title="Enter your IdP metadata">
    After configuring your IdP app, copy the following values from your IdP and enter them in Sentry:

    * **Metadata URL** or **IdP Entity ID**
    * **SSO URL** (your IdP's sign-in endpoint)
    * **x.509 Certificate**
  </Step>

  <Step title="Test the connection">
    Click **Save** and then use the **Test Configuration** button to verify the SAML handshake works before enforcing SSO for your team.
  </Step>

  <Step title="Enable SSO enforcement (optional)">
    Turn on **Require SSO** to disable password-based login for all organization members. Once enabled, members must authenticate through your IdP to access Sentry. Existing sessions will be invalidated.

    <Warning>
      Make sure SSO is working correctly before enabling enforcement. If your IdP goes down while enforcement is on, members won't be able to log in. Keep at least one owner account with a working fallback.
    </Warning>
  </Step>
</Steps>

## SSO enforcement behavior

When **Require SSO** is enabled:

* New members can only join via your IdP or by invitation from an existing owner.
* Members who try to log in with a password are redirected to the SSO login flow.
* Members who are removed from your IdP lose access to Sentry on their next session expiry (or immediately if you use SCIM to deprovision them).

## Setting up SCIM

SCIM (System for Cross-domain Identity Management) uses a standardized API to let your IdP automatically create, update, and deactivate Sentry organization members.

<Note>
  SCIM requires SAML2 SSO to already be configured and active.
</Note>

<Steps>
  <Step title="Enable SCIM">
    Go to **Settings > Auth** and click **Enable SCIM** under your configured SAML2 provider.
  </Step>

  <Step title="Copy the SCIM token and base URL">
    Sentry generates a SCIM Bearer token and displays the base URL for your SCIM endpoints. Copy both values — you'll need them to configure your IdP.

    | Field             | Value                                                       |
    | ----------------- | ----------------------------------------------------------- |
    | **SCIM Base URL** | `https://sentry.io/api/0/organizations/{org-slug}/scim/v2/` |
    | **Bearer Token**  | Generated on this page                                      |
  </Step>

  <Step title="Configure SCIM in your IdP">
    In your IdP's SCIM configuration, enter:

    * The SCIM base URL from the previous step
    * The Bearer token as the API authentication token
    * Set **Authentication Mode** to **HTTP Header**

    Your IdP will start syncing users and groups using the endpoints listed below.
  </Step>
</Steps>

## SCIM endpoints

| Resource                       | Endpoint                                                            |
| ------------------------------ | ------------------------------------------------------------------- |
| List / create members          | `GET /POST /api/0/organizations/{org}/scim/v2/Users`                |
| Get / update / delete a member | `GET /PATCH /DELETE /api/0/organizations/{org}/scim/v2/Users/{id}`  |
| List / create teams            | `GET /POST /api/0/organizations/{org}/scim/v2/Groups`               |
| Get / update / delete a team   | `GET /PATCH /DELETE /api/0/organizations/{org}/scim/v2/Groups/{id}` |
| List supported schemas         | `GET /api/0/organizations/{org}/scim/v2/Schemas`                    |

## SCIM behavior

* **Provisioning** — When you assign a user to your Sentry SCIM app in your IdP, Sentry sends them an invitation email. The member is not active until they accept the invitation.
* **Deprovisioning** — When you unassign or deactivate a user in your IdP, Sentry immediately deactivates their membership in your organization.
* **Groups** — SCIM group sync maps IdP groups to Sentry teams. Creating a group in your IdP creates a corresponding team in Sentry.

<Tip>
  Rotate your SCIM token periodically. You can generate a new one from **Settings > Auth** without disrupting SSO — update the new token in your IdP before revoking the old one.
</Tip>
