IdP Group Sync automates the synchronization of users and groups between your identity provider (IdP) and Cast AI. This feature eliminates the need to manually manage user access across multiple systems by keeping your Cast AI user groups automatically synchronized with your IdP groups.

Overview

What User Group Sync does

User Group Sync connects your existing identity provider with Cast AI to:

• Automatically create and update user groups based on your IdP groups
• Provision new users when they're added to synced groups in your IdP
• Remove user access when they're removed from groups or deactivated in your IdP
• Keep group memberships synchronized between your IdP and Cast AI

Benefits over manual user management

Reduced administrative overhead: No need to maintain separate user lists and group memberships in Cast AI.

Improved security: Your IdP becomes the single source of truth for user access, ensuring consistent permissions across systems.

Faster onboarding and offboarding: New team members automatically receive appropriate Cast AI access when added to the correct groups in your IdP. Departing team members lose access immediately when removed from your IDP.

Audit and compliance: Centralized access management through your IdP provides better visibility and control for compliance requirements.

Supported identity providers

Cast AI supports user group synchronization with any IdP that has SCIM 2.0 client capability. Contact your Technical Account Manager for compatibility and next steps.

For the IdPs below, Cast AI offers documented step-by-step guidance:

• Okta – Syncs groups and users through SCIM protocol
• Azure AD (Entra ID) – Syncs groups and users through SCIM protocol

Prerequisites

Before setting up User Group Sync:

• You must have an existing SSO connection configured between your IdP and Cast AI. For instructions on how to do so, see Single Sign-On (SSO)
• You need administrative access to your identity provider to configure group synchronization.
• Your Cast AI account must have the Owner role to enable and configure group sync.

How it works

Setup process

1. Enable sync: You enable group sync in Cast AI and configure your IdP to send group information
2. Group discovery: Cast AI receives your IdP groups and displays them for configuration
3. Group mapping: You choose how to handle each IdP group and assign roles
4. Ongoing synchronization: Changes in your IdP groups automatically update Cast AI

Group handling options

When configuring sync, you choose how to handle each IdP group:

Create new groups: Cast AI creates new groups based on your IdP groups. These groups are automatically managed and updated based on IdP changes. This ensures your Cast AI group structure matches your IdP exactly.

Map to existing groups (Okta only): Connect an IdP group to an existing Cast AI group. The IdP group membership will override the existing group membership. Use this when you want to maintain your current Cast AI group structure while populating it with IdP users.

📘

Note

Azure AD only supports creating new groups. Group mapping to existing Cast AI groups is not available for Azure AD.

User management

New users: When users are added to synced groups in your IdP, they automatically receive access to Cast AI with the appropriate group memberships and roles.

Existing users: Users who already have Cast AI access will have their group memberships updated to match their IdP group assignments.

User removal: When users are removed from synced groups or deactivated in your IdP, they lose the associated access in Cast AI.

Sync timing

• Initial sync: Timing depends on your identity provider and the volume of users and groups being synchronized. Okta typically completes initial sync quickly, while Azure AD can take up to 40 minutes
• Ongoing updates: Cast AI processes changes immediately as it receives them from your IdP
• Provider-initiated sync: You can trigger synchronization from your IdP's SCIM provisioning application when needed

Key concepts

IdP as single source of truth

When group sync is enabled, your identity provider becomes the authoritative source for group membership, user status, and synced group structure. Cast AI automatically reflects changes made in your IdP. Direct changes to synced group membership in Cast AI are restricted to maintain consistency with your IdP.

Permission inheritance

When users join Cast AI through synced groups, they receive the default role defined in your SSO connection configuration. Beyond this default, users can be assigned additional permissions through:

• Membership in synced groups with configured roles and resource access
• Individual role assignments made in Cast AI

When assignments provide access to the same resource, the highest permission level takes precedence. Organization-level permissions override cluster-level permissions.

Monitoring and visibility

You can monitor synchronization through your identity provider's SCIM application, which provides:

• Sync health: Whether synchronization is working correctly
• Last sync time: When the most recent sync occurred
• Sync logs: Detailed information about sync operations and any issues

In Cast AI, you can view which groups are synced by navigating to Access control > User groups, where synced groups are displayed alongside manually created groups.

📘

Note

Additional sync status information, such as active sync status and member counts, will be available in the Cast AI console in a future update.

Limitations

Sync timing

User Group Sync operates in near real-time, but not instantly:

• Initial sync: Can take several minutes to complete for organizations with many users and groups
• Ongoing updates: Changes typically reflect within minutes, but may take longer
• Large organizations: Sync times may be extended due to provider rate limits and processing queues

Provider-specific limitations

Okta:

• Requires explicit "Push Groups" configuration - groups must be manually selected for synchronization
• Rate limits apply (typically 600 requests per minute for SCIM operations)

Azure AD:

• Users and groups must be explicitly assigned to the Cast AI application before they can be synchronized
• Attribute mapping may require customization to work with Cast AI's expected format
• Sync behavior can vary based on tenant size and license type

Getting started

Prerequisites checklist

Before proceeding with setup:

• SSO connection between your IdP and Cast AI is working
• You have Owner permissions in your Cast AI organization
• You have administrative access to your identity provider
• You've identified which IdP groups should be synced to Cast AI

Next steps

Choose your identity provider to begin setup:

• Set up User Group Sync with Okta
• Set up User Group Sync with Azure AD

Once configured, learn how to manage your synchronized groups:

• Managin User Group Sync

Frequently asked questions (FAQ)

User deactivation and reactivation

Q: If I deactivate a user in the IdP, will it automatically deactivate them in Cast AI?

Yes. User status is synced automatically—once deactivated in your identity provider, the user will also be deactivated in the Cast AI console.

Q: What happens to API keys created by a deactivated user?

All API keys created by that user will expire and can no longer be used across the platform.

Q: If we deactivate a user and later reactivate them in our IdP, what happens in Cast AI?

The same user identity will be reactivated in Cast AI, with all previously assigned permissions restored.

Login methods and SSO

Q: Will we still be able to use other login types if IdP User Sync is enabled?

User identities that were created before IdP User Sync enablement (such as via email/password or Google login) will remain in the Cast AI console and continue to work as before. However, if a new user attempts to log in with the same email address using a non-SSO login method, they will not be connected to your organization. Instead, a new blank organization will be created for them.

Azure AD configuration

Q: What permissions are needed to enable IdP User Group Sync for Azure if we already have an Enterprise Application?

You'll need an administrator who can create an Enterprise Application on the Azure side to enable this feature. Additionally, a paid Azure AD (Entra) plan is required if you want to sync only specific groups instead of all users and groups within your directory.

Troubleshooting sync issues

Q: I'm part of a synced group with a role assigned within the Cast AI console, but when signing in, I see the error "User is not assigned to the client application." What could be missing?

You also need to be assigned to the initial Okta web application—the one that handles the SSO login, not the SCIM integration app. To verify this, open the SSO web app in Okta and check the Assignments tab to ensure your user is listed there:

Q: We set up IdP User Group Sync, but it still doesn't automatically push everyone through IdP. What could be wrong?

The most common issue is using incorrect Cast AI endpoints during configuration. Make sure you're using the correct subdomain for your region:

• EU organizations: https://console.eu.cast.ai/
• US organizations: https://console.cast.ai/