June 1st, 2026
Spacelift now supports SCIM 2.0 (System for Cross-domain Identity Management). Your identity provider becomes the single source of truth for who has access to Spacelift. Okta, Microsoft Entra ID, OneLogin, or any IdP that speaks SCIM 2.0 can automatically sync users and groups, so you never have to manually invite or remove anyone again.
When someone joins your company or switches teams, their Spacelift access updates automatically based on IdP group membership. When someone leaves, their account is deactivated and all active sessions are revoked. No stale accounts, no forgotten cleanup.
Groups sync too. Push them from your IdP via SCIM, then assign roles using the Spacelift Terraform provider (recommended) or the UI. You get version-controlled, auditable access management that stays current with your IdP automatically.
Generate SCIM credentials in Organization Settings > Single Sign-On, configure your IdP with the base URL and OAuth 2.0 client credentials, and syncing starts immediately. The credentials are scoped exclusively to SCIM endpoints. SCIM creates user and group records but does not assign permissions. You control what people can do through role bindings or login policies.
Full CRUD for users and groups via SCIM 2.0 (RFC 7644)
User deactivation and deletion both revoke active sessions immediately
Group membership syncs automatically, keeping role assignments current
Filtering by userName, active status, email (users) and displayName (groups)
Enterprise plan only. Requires SSO to be configured first. Some IdPs (like Okta) require SAML, not OIDC, for SCIM.
Read the full documentation: SCIM documentation