How do CDEs integrate with SSO?

Most CDEs support SAML 2.0 and OIDC for SSO integration with Okta, Azure AD, Google Workspace, and other identity providers. This enables single sign-on, centralized access control, and automatic session management.

What is SCIM provisioning for CDEs?

SCIM (System for Cross-domain Identity Management) automatically syncs users and groups from your identity provider to the CDE platform. When someone joins or leaves, their CDE access is automatically provisioned or revoked.

How should RBAC be configured for CDEs?

Define roles based on function: Developers (create/manage own workspaces), Team Leads (manage team templates), Platform Admins (full control), and Auditors (read-only access). Map to identity provider groups for automatic assignment.

IAM Implementation Guide for Cloud Development Environments

Comprehensive guide to Identity and Access Management for Coder, Ona (formerly Gitpod), GitHub Codespaces, and other CDE platforms. Configure SSO, SCIM provisioning, RBAC, MFA, and enterprise-grade access controls.

Why IAM Matters for Cloud Development Environments

When developers access remote workspaces containing production credentials, proprietary code, and sensitive data, proper identity and access management is not optional - it's critical for security and compliance.

Authentication

Verify user identity through enterprise SSO providers (Okta, Microsoft Entra ID, Google Workspace) with SAML 2.0 or OIDC protocols.

Single Sign-On (SSO)
Multi-Factor Authentication
Session Management

Authorization

Control what authenticated users can do with role-based access control (RBAC) and fine-grained permissions.

Role-Based Access Control
Permission Policies
Resource Isolation

Provisioning

Automate user lifecycle with SCIM (System for Cross-domain Identity Management) for instant onboarding and offboarding.

Automatic User Creation
Group Synchronization
Instant Deprovisioning

Single Sign-On Integration Guides

Step-by-step configuration for major identity providers

Okta SSO Integration

SAML 2.0 and OIDC Configuration

Option 1: SAML 2.0 Setup

Step 1: Create Okta Application

Log into Okta Admin Console
Navigate to Applications > Create App Integration
Select "SAML 2.0" as sign-in method
Name your application (e.g., "Coder CDE")

Step 2: Configure SAML Settings

Single Sign-On URL: https://your-coder-instance.com/api/v2/users/oidc/callback
Audience URI (SP Entity ID): https://your-coder-instance.com
Name ID Format: EmailAddress
Application Username: Email

Step 3: Attribute Mapping

email     -> user.email
firstName -> user.firstName
lastName  -> user.lastName
groups    -> user.groups (if using group-based roles)

Step 4: Configure CDE Platform

Add to your Coder Helm values or configuration:

coder:
  oidc:
    issuerURL: "https://your-org.okta.com"
    clientID: "your-okta-client-id"
    clientSecret: "your-okta-client-secret"
    emailDomain: "yourcompany.com"
    scopes: "openid,profile,email,groups"
    groupField: "groups"

Option 2: OpenID Connect (OIDC) Setup

Recommended for modern deployments. OIDC provides better token handling and refresh capabilities.

# In Okta, create an OIDC Web Application
Authorization Server: default
Grant Types: Authorization Code, Refresh Token
Redirect URIs: https://your-coder.com/api/v2/users/oidc/callback

# CDE Configuration (example for Coder)
CODER_OIDC_ISSUER_URL="https://your-org.okta.com/oauth2/default"
CODER_OIDC_CLIENT_ID="0oa..."
CODER_OIDC_CLIENT_SECRET="secret..."
CODER_OIDC_SCOPES="openid,profile,email,groups"

Microsoft Entra ID Integration

Microsoft's Enterprise Identity Platform (formerly Azure AD)

Step 1: Register Application in Azure Portal

Navigate to Microsoft Entra ID > App Registrations
Click "New registration"
Name: "Coder CDE" (or your platform name)
Redirect URI (Web): https://your-coder.com/api/v2/users/oidc/callback

Step 2: Create Client Secret

In your app registration:

1. Go to "Certificates & secrets"
2. Click "New client secret"
3. Add description: "Coder OIDC Integration"
4. Set expiration (recommended: 12-24 months)
5. Copy the secret value immediately (won't be shown again)

Step 3: API Permissions

Grant the following Microsoft Graph permissions:

User.Read (Delegated)
email (Delegated)
profile (Delegated)
openid (Delegated)
Group.Read.All (Delegated) - for group-based RBAC

Step 4: Configure CDE Platform

CODER_OIDC_ISSUER_URL="https://login.microsoftonline.com/<tenant-id>/v2.0"
CODER_OIDC_CLIENT_ID="your-application-client-id"
CODER_OIDC_CLIENT_SECRET="your-client-secret-value"
CODER_OIDC_SCOPES="openid,profile,email,User.Read"
CODER_OIDC_EMAIL_DOMAIN="yourcompany.com"

# Optional: Group claims for RBAC
CODER_OIDC_GROUP_FIELD="groups"
CODER_OIDC_GROUP_AUTO_CREATE="true"

Entra ID Group Claims

To include groups in the ID token:

1. In App Registration, go to "Token configuration"
2. Add "groups" claim
3. Choose "Security groups" or "Directory roles"
4. Groups will appear in ID token as array of GUIDs

Google Workspace Integration

OAuth 2.0 with Google Cloud Platform

Step 1: Create OAuth 2.0 Client

Go to Google Cloud Console > APIs & Services > Credentials
Create OAuth 2.0 Client ID
Application type: Web application
Authorized redirect URIs: https://your-coder.com/api/v2/users/oidc/callback

Step 2: OAuth Consent Screen

User Type: Internal (for Workspace only)
Scopes:
  - openid
  - email
  - profile
  - https://www.googleapis.com/auth/userinfo.email
  - https://www.googleapis.com/auth/userinfo.profile

Step 3: CDE Configuration

CODER_OIDC_ISSUER_URL="https://accounts.google.com"
CODER_OIDC_CLIENT_ID="your-client-id.apps.googleusercontent.com"
CODER_OIDC_CLIENT_SECRET="your-client-secret"
CODER_OIDC_EMAIL_DOMAIN="yourcompany.com"
CODER_OIDC_SCOPES="openid,profile,email"

# Optional: Restrict to specific Google Workspace domain
CODER_OIDC_EMAIL_DOMAIN="yourcompany.com"

Important: Domain Restriction

Google OAuth doesn't provide group claims by default. For advanced group-based access control, consider using Google Cloud Identity API with service account credentials, or implement custom logic in your CDE platform to query Google Directory API after authentication.

SCIM Provisioning Setup

Automate user lifecycle management with System for Cross-domain Identity Management (SCIM 2.0). When an employee joins, leaves, or changes roles in your IdP, their CDE access updates automatically.

SCIM Benefits

Instant Onboarding: New hires get CDE access within seconds of being added to your IdP
Automatic Offboarding: Terminated employees lose access immediately when disabled in IdP
Group Sync: Role changes in IdP automatically update CDE permissions
Compliance: Single source of truth for user access (required for SOC 2, HITRUST)

SCIM vs Manual Provisioning

Without SCIM:

Manual user creation in each system
Risk of orphaned accounts
Delayed offboarding (security risk)
Manual role/group updates

With SCIM:

Automatic user provisioning
Instant deprovisioning
Real-time group synchronization
Audit trail of all changes

SCIM Configuration Examples

Okta SCIM Setup

# 1. In Coder (or your CDE), generate SCIM API token
coder scim generate-token --name "okta-scim"
# Output: scim_xxxxxxxxxxxxxxxxxxxxxxxx

# 2. In Okta Application Settings:
Provisioning > Integration > Edit
  SCIM Connector Base URL: https://your-coder.com/api/v2/scim/v2
  Unique Identifier Field: userName
  Supported Provisioning Actions:
    ☑ Push New Users
    ☑ Push Profile Updates
    ☑ Push Groups
  Authentication Mode: HTTP Header
    Authorization: Bearer scim_xxxxxxxxxxxxxxxxxxxxxxxx

# 3. Enable Provisioning Features:
To App:
  ☑ Create Users
  ☑ Update User Attributes
  ☑ Deactivate Users

Testing: Use Okta's "Test Provisioning" feature to verify connectivity before enabling for all users.

Microsoft Entra ID SCIM Setup

# 1. Generate SCIM token in your CDE platform

# 2. In Azure Portal:
Enterprise Applications > Your App > Provisioning
  Provisioning Mode: Automatic

  Admin Credentials:
    Tenant URL: https://your-coder.com/api/v2/scim/v2
    Secret Token: scim_xxxxxxxxxxxxxxxxxxxxxxxx

  Click "Test Connection" to validate

# 3. Configure Mappings:
Attribute Mappings > Provision Microsoft Entra ID Users
  userPrincipalName -> userName
  displayName       -> displayName
  mail              -> emails[type eq "work"].value
  givenName         -> name.givenName
  surname           -> name.familyName
  accountEnabled    -> active

# 4. Set Provisioning Scope:
  - Sync only assigned users and groups (recommended)
  - Sync all users and groups (for full automation)

Note: Entra ID SCIM runs on a 40-minute sync cycle by default. For immediate provisioning, use the "Provision on demand" feature for individual users.

Google Workspace SCIM Limitations

Important: Google Workspace does not natively support SCIM provisioning for third-party applications. Workarounds include:

Google Cloud Identity: Use Directory API with service account to sync users programmatically
Third-party bridges: Tools like OneLogin or JumpCloud can act as SCIM intermediaries
Just-in-Time (JIT) provisioning: Users created on first SSO login (simpler but less control)

Role-Based Access Control (RBAC)

Define granular permissions based on job functions. Platform engineers manage infrastructure, developers create workspaces, and auditors have read-only access.

Standard Role Definitions

Admin

Full system access
User management
Template management
Audit log access
System configuration

Platform Engineer

Create/edit templates
Manage provisioners
View all workspaces
No user management
No system config

Developer

Create workspaces
Start/stop own workspaces
Use approved templates
No template editing
Own workspaces only

Viewer / Auditor

Read-only access
View templates
View workspace list
Access audit logs
No modifications

Permission Matrix

Permission	Admin	Platform Eng	Developer	Viewer
Create workspace
Delete own workspace
Delete any workspace
Create/edit templates
View all workspaces
Manage users
Manage groups/roles
View audit logs

Creating Custom Roles

Example: Create a "Template Developer" role that can edit templates but not manage users or system settings.

# Example for Coder (adjust syntax for your CDE platform)
coder groups create template-developers

coder groups edit template-developers \
  --add-permission "templates:write" \
  --add-permission "templates:read" \
  --add-permission "workspaces:read" \
  --add-permission "provisioners:read" \
  --deny-permission "users:*" \
  --deny-permission "groups:*" \
  --deny-permission "system:*"

# Assign users to the role
coder groups add-member template-developers [email protected]
coder groups add-member template-developers [email protected]

# Or sync with IdP group
coder groups sync template-developers --idp-group "Template-Devs"

Multi-Factor Authentication (MFA)

Enforce additional verification beyond passwords. MFA is required for SOC 2 Type II, HITRUST, and most compliance frameworks.

Supported MFA Methods

TOTP (Recommended)

Time-based One-Time Passwords via Google Authenticator, Authy, 1Password, etc.

WebAuthn / FIDO2

Hardware security keys (YubiKey, Titan) or biometric authentication

SMS / Push Notifications

Less secure but easier for users. Avoid for high-security environments.

Enforcement Policies

Required for All Users

Every user must enable MFA to access the platform. No exceptions.

Required for Admins Only

Enforce MFA for privileged roles (admins, platform engineers) but optional for developers.

Conditional Access

Require MFA only for risky scenarios: new device, unusual location, or after N days of inactivity.

Step-Up Authentication

Require re-authentication with MFA for sensitive actions (e.g., deleting templates, changing roles).

MFA Configuration

Option 1: IdP-Level MFA (Recommended)

When using SSO, enforce MFA at your identity provider (Okta, Microsoft Entra ID, Google). This applies MFA to all applications, not just your CDE.

Okta

Security > Multifactor > Factor Enrollment Policy > Require MFA for all users

Entra ID

Security > Conditional Access > Create policy requiring MFA for all cloud apps

Google

Admin Console > Security > 2-Step Verification > Enforce for all users

Best Practice: When SSO is enabled, the CDE platform inherits MFA from your IdP. No additional configuration needed in the CDE itself.

Option 2: Platform-Level MFA

For non-SSO deployments or local admin accounts, configure MFA directly in your CDE platform.

# Example: Coder MFA configuration
# Enable TOTP for all users
coder server --mfa-required=true

# Or via environment variables
CODER_MFA_REQUIRED=true

# For specific users via CLI
coder users edit [email protected] --require-mfa=true

# Check MFA status
coder users list --format json | jq '.[] | {email, mfa_enabled}'

Session Management

Control session lifetime, token rotation, and concurrent access to prevent unauthorized persistence and credential theft.

Idle Timeout

Automatically log out users after a period of inactivity to prevent unauthorized access on unattended devices.

Recommended: 30-60 minutes for general users, 15 minutes for admins

Token Rotation

Regularly refresh authentication tokens to limit the window of opportunity if a token is compromised.

Recommended: Rotate access tokens every 1-4 hours

Concurrent Limits

Limit the number of simultaneous sessions per user to detect and prevent account sharing or compromise.

Recommended: 3-5 concurrent sessions (laptop, desktop, tablet)

Session Configuration Example

# Coder session configuration example
# Session token lifetime (how long before refresh required)
CODER_SESSION_DURATION="4h"

# Inactivity timeout (auto-logout after idle period)
CODER_SESSION_IDLE_TIMEOUT="30m"

# Maximum session lifetime (force re-authentication)
CODER_SESSION_MAX_LIFETIME="24h"

# Concurrent session limit per user
CODER_SESSION_CONCURRENT_LIMIT="5"

# Require re-authentication for sensitive actions
CODER_REQUIRE_STEP_UP_AUTH="true"

# Session persistence (remember me)
CODER_SESSION_PERSISTENT="false"  # Disable for high-security

High Security Profile

Session duration: 1-2 hours
Idle timeout: 15 minutes
Max lifetime: 8 hours
Concurrent limit: 2
Persistent sessions: disabled

Balanced Profile

Session duration: 4 hours
Idle timeout: 30-60 minutes
Max lifetime: 24 hours
Concurrent limit: 5
Persistent sessions: optional

IAM for AI Agents and Automated Workflows

As AI coding agents (Claude Code, GitHub Copilot, Cursor, and custom LLM-based tools) operate inside CDEs, they require their own identity, permissions, and audit controls separate from human users.

Service Accounts

Create dedicated non-human identities for AI agents and CI/CD pipelines. Never share developer credentials with automated tools.

Dedicated identity per agent
No interactive login required
Scoped to specific templates

API Key Management

Issue short-lived, scoped API keys for agents instead of long-lived tokens. Rotate automatically and revoke on anomaly detection.

Short-lived tokens (1-4 hours)
Automatic rotation policies
Per-key scope restrictions

Agent Permissions

Apply the principle of least privilege to AI agents. Restrict file access, network egress, and workspace operations to the minimum required.

Read-only or scoped write access
No admin/template privileges
Network egress restrictions

AI Agent Service Account Configuration

Example: Create a service account for an AI coding agent that can read and write code in workspaces but cannot modify templates, manage users, or access production secrets.

# Create a service account for AI agent workloads
coder users create-service-account ai-code-agent \
  --display-name "AI Code Agent" \
  --description "Service account for LLM-based coding assistants"

# Generate a scoped API token for the agent
coder tokens create ai-code-agent \
  --name "agent-api-key" \
  --lifetime 4h \
  --scope "workspaces:read,workspaces:write"

# Assign agent to a restricted group
coder groups add-member ai-agents ai-code-agent
coder groups edit ai-agents \
  --add-permission "workspaces:read" \
  --add-permission "workspaces:write" \
  --deny-permission "templates:*" \
  --deny-permission "users:*" \
  --deny-permission "system:*" \
  --deny-permission "groups:*"

# Set rate limits for agent API calls
coder users edit ai-code-agent \
  --api-rate-limit 100 \
  --api-burst-limit 20

Agent Security Best Practices

Never reuse developer credentials for agents
Rotate API keys on a short cycle (4-8 hours)
Monitor agent activity for anomalous patterns
Block agent access to secrets vaults and .env files
Restrict network egress to approved endpoints only

What to Audit for AI Agents

Files read and modified by the agent
API calls made and their response codes
External network requests (URLs, IPs)
Token creation, rotation, and revocation events
Permission escalation attempts or denied actions

Agent vs. Human Permission Matrix

AI agents should always operate with fewer privileges than human developers. Use this matrix as a baseline for scoping agent permissions in your CDE.

Permission	Developer	AI Agent	CI/CD Bot
Read workspace files
Write workspace files
Access secrets / .env
Create/delete workspaces
Network egress (internet)
Install system packages
Manage templates/users

= Allowed with restrictions (scoped endpoints, read-only, or approval required)

Audit Logging for Access

Comprehensive logging of authentication events, authorization decisions, and user actions for security monitoring and compliance audits.

Critical Events to Log

Authentication Events

• Successful logins
• Failed login attempts
• Password changes
• MFA enrollment/removal
• Session created/expired

Authorization Events

• Permission granted/denied
• Role assignment changes
• Group membership changes
• Access policy updates
• Privilege escalation attempts

Resource Events

• Workspace created/deleted
• Template modified
• User provisioned/deprovisioned
• Configuration changes
• API key creation/revocation
• AI agent actions and tool calls

Audit Log Format Example

Structured JSON format for machine-parseable logs, compatible with SIEM systems (Splunk, Datadog, ELK).

{
  "timestamp": "2026-01-15T14:32:15.847Z",
  "event_type": "authentication.login.success",
  "event_id": "evt_8x2a9b3c",
  "actor": {
    "user_id": "usr_alice123",
    "email": "[email protected]",
    "ip_address": "203.0.113.45",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)..."
  },
  "resource": {
    "type": "session",
    "id": "sess_9f4e2d1a"
  },
  "context": {
    "auth_method": "oidc",
    "idp": "okta",
    "mfa_verified": true,
    "geo_location": "San Francisco, CA, US"
  },
  "severity": "info",
  "result": "success"
}

Compliance Requirements by Framework

Compliance Framework	Log Retention	Key Requirements
SOC 2 Type II	90 days minimum	All access events, changes to security controls, failed access attempts
HITRUST CSF	6 years	PHI access logs, admin actions, security incidents, log integrity verification
GDPR	Varies by use case	Data subject access, consent changes, data processing activities
PCI DSS	1 year minimum, 3 years recommended	All access to cardholder data, admin actions, authentication attempts
FedRAMP	90 days online, 1 year offline	All privileged access, security events, configuration changes, immutable logs

Log Integrity Best Practices

Use write-once storage or log forwarding to prevent tampering
Implement log signing/hashing for integrity verification
Separate log access from admin access (principle of least privilege)
Forward logs to external SIEM in real-time
Encrypt logs at rest and in transit

Platform-Specific IAM Setup

Detailed configuration guides for popular CDE platforms

Coder

Self-hosted CDE with full RBAC, OIDC, SCIM, and audit logging

OIDC/SAML SSO
SCIM 2.0 provisioning
Custom RBAC roles
Built-in audit logs
MFA via IdP

View Coder Docs

Ona

Container-based CDE with OAuth integration and team management

OAuth 2.0 (GitHub, GitLab, Bitbucket)
Team-based access control
SSO for Enterprise (OIDC)
Git-based permissions
Limited custom RBAC

View Ona Docs

GitHub Codespaces

Managed CDE with GitHub authentication and Enterprise SAML

GitHub account authentication
SAML SSO (Enterprise)
Repository-based permissions
Organization policies
No custom roles

View GitHub Docs

Need Help Choosing a Platform?

Compare Coder, Ona, GitHub Codespaces, Microsoft Dev Box, and Google Cloud Workstations side-by-side, including IAM capabilities.

View Tools Comparison

IAM Security Hardening Checklist

Essential security recommendations for production-grade IAM implementation

Authentication & Access

Enforce SSO: Require OIDC/SAML for all user authentication. Disable local passwords except for emergency admin accounts.
Require MFA: Enable multi-factor authentication for all users, especially admins and platform engineers.
Implement SCIM: Automate user provisioning/deprovisioning to eliminate orphaned accounts and delays.
Session Limits: Set idle timeout (30-60 min), max session lifetime (24h), and concurrent session limits (3-5).
Token Rotation: Rotate access tokens every 1-4 hours to limit exposure window.
AI Agent Service Accounts: Create dedicated non-human identities for AI agents. Never share developer credentials with automated tools.

Authorization & RBAC

Least Privilege: Grant minimum necessary permissions. Use predefined roles (Developer, Platform Engineer) instead of custom per-user permissions.
Role Separation: Separate admin, template management, and workspace access. No developer should have template edit rights.
Group-Based Access: Sync roles with IdP groups (e.g., "platform-engineers" group gets Platform Engineer role automatically).
Regular Audits: Review role assignments quarterly. Remove unused roles and orphaned permissions.
Admin Restrictions: Limit admin role to 2-3 people. Use break-glass procedures for emergency access.
Agent Least Privilege: Scope AI agent permissions to workspace read/write only. Block access to secrets, templates, user management, and unrestricted network egress.

Logging & Monitoring

Comprehensive Logging: Log all authentication events, authorization decisions, role changes, and privileged actions.
SIEM Integration: Forward logs to external SIEM (Splunk, Datadog, ELK) for centralized monitoring and alerting.
Retention: Retain logs per compliance requirements (90 days for SOC 2, 6 years for HITRUST).
Immutable Logs: Use write-once storage or log signing to prevent tampering. Separate log access from admin access.
Alerting: Alert on failed login spikes, admin actions, role changes, and unusual access patterns.
Agent Audit Trails: Log all AI agent file access, API calls, and tool invocations. Flag anomalous patterns like bulk file reads or unexpected network requests.

Compliance & Governance

Document Policies: Maintain written IAM policies, role definitions, and access procedures for auditors.
Access Reviews: Quarterly review of all user access. Require manager approval for role assignments.
Offboarding Process: Immediate access revocation on termination. Automate via SCIM or manual checklist.
Separation of Duties: Different people for development, platform engineering, and auditing. No single person with all privileges.
Compliance Mapping: Map IAM controls to compliance requirements (SOC 2, HITRUST, GDPR) for audit evidence.

Ready to Secure Your CDE?

Start with SSO and SCIM integration, then layer on RBAC, MFA, and audit logging. For AI-assisted development workflows, add dedicated service accounts and scoped API keys for agents. For compliance-critical deployments (HITRUST, SOC 2), prioritize immutable audit logs and role separation.

Compliance Guide Security Deep Dive