IdP Sync

IdP Sync in Tabnine implements automatic user provisioning and de-provisioning, replacing manual user management.

Tabnine offers an IdP sync functionality based on the SCIM 2.0 protocol. IdP Sync uses the SCIM Users API to manage new users and existing users. Changes made in the IdP (add/remove users) are reflected in Tabnine automatically.

IdP sync is available for Enterprise customers using either self-hosted (private) installations or Enterprise SaaS users (console.tabnine.com).

User Types

All users are either “registered” (active) or “deactivated” (inactive). There are no hard deletes in the Tabnine system, so admins must deactivate a user (not delete).

Tabnine plans to implement the SCIM Groups API in the near future for role and team management.

Newly synced users (users that have never been registered before) will receive an email upon registration, By default, they will be designated registered users.

Existing users will be synced by email match and given the status of synced users. Once they are synced, they can only be managed by the IdP and not manually.

Unrecognized users are those users that already exist in Tabnine but for some reason aren’t found in the IdP. This could be due to a misconfiguration in the IdP itself. These users continue to be managed manually.

Team and Role Assignment

Team and role management is currently manual. Whenever a user is added to the system, that user has a default status of “member.”

Admins would assign new roles to users, such as “admin,” by changing the “member” status.

Team assignments are critical in Tabnine IdP Sync. Without a team assignment, the user cannot work.

Admins have the option to automatically assign new users to a default team so they can work immediately (and move them to a different team manually), or to leave them unassigned.

Admins may choose to leave users unassigned for different reasons, but an unassigned member still counts toward the number of licenses your organization uses with Tabnine.

We advise these team-less users not to be left that way in the long-term (if a member user is not active for the long-term, set that user to “deactivated”).

Unsynced Users: An error may occur where users not recognized by the IdP remain unchanged unless manually updated.

Test Mode and Live Mode

IdP Sync can be set to either Test Mode or Live Mode. Live Mode will apply IdP updates in real time with sync happening continuously.

To push updates, ensure the IDP is properly configured. The first sync can take up to an hour.

It is a best practice to start with Test Mode. Ensure that your SCIM configuration is set properly.

Test Mode will simulate and preview changes in IdP Sync, but not apply them. If admins are satisfied with the preview, they can push the changes live.

How to Set Up IdP Sync

Users must request activation from an account manager or Tabnine Support, as IdP Sync is not available by default.

Once given access, admins must follow the three following steps:

First, enable IdP Sync in the Admin Console, choosing Test or Live.

Next, generate SCIM API key.

Configuring your Identity Provider for IdP Sync

Back in your IDP (Okta, Entra ID, etc.), add the 1) Tabnine SCIM URL and 2) API key.

Azure Entra ID

If you do not already have an existing Tabnine application in Azure Entra ID, follow these instructions:

Set up an enterprise application. Navigate from: Enterprise Applications > New Application > Create your own application
Next, name it Tabnine and choose "Integrate any other application you don't find in the gallery."

Navigate to your Tabnine application.

Click on Get Started and then choose Automatic.

At this point, add a) the Tabnine SCIM URL and b) the Tabnine-generated API key.

Select Test the connection.

In the Provisioning section, select "Sync only assigned users and groups."

Once in place, hit Start.

Okta

Head over to Okta. On the lefthand side menu, select Applications, then select your Tabnine app.

Next, navigate from General > App Settings > Edit. Then, check off Enable SCIM Provisioning and hit Save.

Proceed to Provisioning.

Add your Tabnine SCIM URL under SCIM connector base URL.

Under Authentication Mode, Select "HTTP Header."

Now add your Tabnine-generated API key under HTTP Header - Authorization.

Once in place, hit Save.

The sync cycle only starts when the IdP initiates it and the Tabnine SCIM service is running with a valid token. Syncs (e.g., from Entra ID) may take up to an hour.

Disabling IdP Sync

When disabling IdP sync, admins can choose to convert all synced users to unsynced users, or deactivate all synced users.

Last updated 1 month ago

Was this helpful?