Synchronize Group Membership for External Identity Providers

DevOps Secrets Safe supports synchronization of group membership for users and groups defined in external providers.

For an externally defined group to become eligible for membership synchronization, a matching representation of the group must be created in DSS using the group management API. A unique ID for the group in DSS must be provided in the group creation call and must match the unique ID for the corresponding group in the external provider.

Group membership for external users is synchronized at login time. Users are added to and removed from groups in DevOps Secrets Safe according to the membership lists queried from the external provider at the time of login.

The sections that follow provide examples of typical group synchronization workflows for each identity provider type.