Directory sync (SCIM)

How to configure directory sync on your account to automate the management of users and their permissions from your identity management platform to Knock.
Enterprise plan feature. Directory sync is only available on our Enterprise plan.

Overview

Directory sync allows you to automatically provision users and manage their permissions in Knock by leveraging the identity provider your organization is using (e.g. Okta) as the single source for user and group information.

Once configured, it enables automated syncing of user identity information from identity providers to Knock using SCIM (System for Cross-domain Identity Management), an open standard for managing automated user and group provisioning.

Any users that are assigned in the Knock application in your identity provider will be created in Knock (or vice versa), with their roles and permissions automatically configured based on their group memberships (see the default group to role mapping for more details).

Directory sync configuration

To set up directory sync for your account:

  1. Contact the Knock support team.
  2. Our team will provide you with a customized link to guide you through the Directory Sync setup process for your specific identity provider.
  3. Follow the step-by-step instructions in the guide provided at the link in order to complete the configuration.

We support many common identity providers. For detailed, provider-specific setup guides, please refer to the following:

Once the setup is complete and user data starts syncing from your identity provider to Knock, you'll see a "connected" status for directory sync under Settings > General in your Knock dashboard

Group-to-role mapping

You can optionally supply a set of group-to-role mappings for your organization. For instance, you might want to always map the "Team Admins" group to the admin role within Knock. You must supply this mapping to the Knock support team to set on your account as there is currently no way to self-service this information.

In the case where you want to force a group to a particular role within your IDP, you can use the following group names to automatically allocate the roles to users in that group.

Group nameRole
knock-role-ownerowner
knock-role-adminadmin
knock-role-membermember
knock-role-billingbilling
knock-role-supportsupport

How Knock assigns roles

If a user does not belong to any group, Knock will assign the support role to the user. If a user belongs to more than one of these groups, then Knock will assign the highest privileged role available to that user. See roles and permissions for more details.

Frequently asked questions