Any way to assign RBAC roles based on SCIM info?

Hey there, I’ve been looking for a way to automatically assign some users certain roles (I’m referring to native Auth0 RBAC “core” roles, not the Auth Extension ones that live in app_metadata) based on their Okta Group membership via SCIM. I’m able to get the group membership information mapped correctly, but I think I’m stuck after this. The SCIM configuration doesn’t seem to have any additional mapping syntax to manage the user’s assigned roles. I’ve also thought about using Actions for this, but there doesn’t seem to be any triggers that would run after SCIM user updates.

So far I can think of only two ways to accomplish this, both with drawbacks:

  • Run an Auth0 Management API client inside the post-login Action to assign user roles based on profile information. However this seems like a very heavy-handed approach, and also I have no idea if it’s too late for roles assigned during the post-login Action to affect the built-in RBAC checks for the login session
  • Run an periodic external cron job to reconcile every user’s SCIM-synced profile and roles. While this would definitely work it seems to go against the spirit of SCIM’s identity-sourced pushes. There will necessarily be a period of time when the roles are inconsistent.

I’m wondering if I’m missing something in the Auth0 docs, or if these are really my options right now?

Hey there, I’ve been looking for a way to automatically assign some users certain roles (I’m referring to native Auth0 RBAC “core” roles, not the Auth Extension ones that live in app_metadata) based on their Okta Group membership via SCIM. I’m able to get the group membership information mapped correctly, but I think I’m stuck after this. The SCIM configuration doesn’t seem to have any additional mapping syntax to manage the user’s assigned roles. I’ve also thought about using Actions for this, but there doesn’t seem to be any triggers that would run after SCIM user updates Official Site

So far I can think of only two ways to accomplish this, both with drawbacks:

  • Run an Auth0 Management API client inside the post-login Action to assign user roles based on profile information. However this seems like a very heavy-handed approach, and also I have no idea if it’s too late for roles assigned during the post-login Action to affect the built-in RBAC checks for the login session
  • Run an periodic external cron job to reconcile every user’s SCIM-synced profile and roles. While this would definitely work it seems to go against the spirit of SCIM’s identity-sourced pushes. There will necessarily be a period of time when the roles are inconsistent.

I’m wondering if I’m missing something in the Auth0 docs, or if these are really my options right now?

I understand your delemma with assigning Auth0 RBAC core roles based on Okta Group membership via SCIM. Unfortunately, Auth0’s SCIM configuration doesn’t support direct role assignment. However, you can use the Auth0 Management API within a post-login Action to assign roles based on profile information2. While this approach might seem heavy-handed, it ensures that roles are assigned correctly during the login session.

Alternatively, you could set up a periodic external cron job to reconcile user roles, though this might not align perfectly with SCIM’s real-time updates