IdP Group Sync automates the synchronization of users and groups between your identity provider (IdP) and Cast AI. This feature eliminates the need to manually manage user access across multiple systems by keeping your Cast AI user groups automatically synchronized with your IdP groups.

Overview

What User Group Sync does

User Group Sync connects your existing identity provider with Cast AI to:

Automatically create and update user groups based on your IdP groups
Provision new users when they're added to synced groups in your IdP
Remove user access when they're removed from groups or deactivated in your IdP
Keep group memberships synchronized between your IdP and Cast AI

Benefits over manual user management

Reduced administrative overhead: No need to maintain separate user lists and group memberships in Cast AI.

Improved security: Your IdP becomes the single source of truth for user access, ensuring consistent permissions across systems.

Faster onboarding and offboarding: New team members automatically receive appropriate Cast AI access when added to the correct groups in your IdP. Departing team members lose access immediately when removed from your IDP.

Audit and compliance: Centralized access management through your IdP provides better visibility and control for compliance requirements.

Supported identity providers

Cast AI supports user group synchronization with any IdP that has SCIM 2.0 client capability. Contact your Technical Account Manager for compatibility and next steps.

For the IdPs below, Cast AI offers documented step-by-step guidance:

Okta – Syncs groups and users through SCIM protocol
Azure AD (Entra ID) – Syncs groups and users through SCIM protocol

Prerequisites

Before setting up User Group Sync:

You must have an existing SSO connection configured between your IdP and Cast AI. For instructions on how to do so, see Single Sign-On (SSO)
You need administrative access to your identity provider to configure group synchronization.
Your Cast AI account must have the Owner role to enable and configure group sync.

How it works

Setup process

Enable sync: You enable group sync in Cast AI and configure your IdP to send group information
Group discovery: Cast AI receives your IdP groups and displays them for configuration
Group mapping: You choose how to handle each IdP group and assign roles
Ongoing synchronization: Changes in your IdP groups automatically update Cast AI

Group handling options

When configuring sync, you choose how to handle each IdP group:

Create new groups: Cast AI creates new groups based on your IdP groups. These groups are automatically managed and updated based on IdP changes. This ensures your Cast AI group structure matches your IdP exactly.

Map to existing groups (Okta only): Connect an IdP group to an existing Cast AI group. The IdP group membership will override the existing group membership. Use this when you want to maintain your current Cast AI group structure while populating it with IdP users.

📘
Note
Azure AD only supports creating new groups. Group mapping to existing Cast AI groups is not available for Azure AD.

User management

New users: When users are added to synced groups in your IdP, they automatically receive access to Cast AI with the appropriate group memberships and roles.

Existing users: Users who already have Cast AI access will have their group memberships updated to match their IdP group assignments.

User removal: When users are removed from synced groups or deactivated in your IdP, they lose the associated access in Cast AI.

Sync timing

Initial sync: Timing depends on your identity provider and the volume of users and groups being synchronized. Okta typically completes initial sync quickly, while Azure AD can take up to 40 minutes
Ongoing updates: Cast AI processes changes immediately as it receives them from your IdP
Provider-initiated sync: You can trigger synchronization from your IdP's SCIM provisioning application when needed

Key concepts

IdP as single source of truth

When group sync is enabled, your identity provider becomes the authoritative source for group membership, user status, and synced group structure. Cast AI automatically reflects changes made in your IdP. Direct changes to synced group membership in Cast AI are restricted to maintain consistency with your IdP.

Permission inheritance

When users join Cast AI through synced groups, they receive the default role defined in your SSO connection configuration. Beyond this default, users can be assigned additional permissions through:

Membership in synced groups with configured roles and resource access
Individual role assignments made in Cast AI

When assignments provide access to the same resource, the highest permission level takes precedence. Organization-level permissions override cluster-level permissions.

Monitoring and visibility

You can monitor synchronization through your identity provider's SCIM application, which provides:

Sync health: Whether synchronization is working correctly
Last sync time: When the most recent sync occurred
Sync logs: Detailed information about sync operations and any issues

In Cast AI, you can view which groups are synced by navigating to Access control > User groups, where synced groups are displayed alongside manually created groups.

📘
Note
Additional sync status information, such as active sync status and member counts, will be available in the Cast AI console in a future update.

Limitations

Sync timing

User Group Sync operates in near real-time, but not instantly:

Initial sync: Can take several minutes to complete for organizations with many users and groups
Ongoing updates: Changes typically reflect within minutes, but may take longer
Large organizations: Sync times may be extended due to provider rate limits and processing queues

Provider-specific limitations

Okta:

Requires explicit "Push Groups" configuration - groups must be manually selected for synchronization
Rate limits apply (typically 600 requests per minute for SCIM operations)

Azure AD:

Users and groups must be explicitly assigned to the Cast AI application before they can be synchronized
Attribute mapping may require customization to work with Cast AI's expected format
Sync behavior can vary based on tenant size and license type

Getting started

Prerequisites checklist

Before proceeding with setup:

SSO connection between your IdP and Cast AI is working
You have Owner permissions in your Cast AI organization
You have administrative access to your identity provider
You've identified which IdP groups should be synced to Cast AI

Next steps

Choose your identity provider to begin setup:

Once configured, learn how to manage your synchronized groups:

Managing SSO Group Sync