Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Services / Support Migration Checklist (Runbook)

Phase 0 — Readiness

  • Confirm customer IdP supports OIDC or SAML with stable subject identifiers.

  • Confirm customer understands JIT provisioning only.

  • Identify service/test accounts that should remain LOCAL_ONLY.

  • Ensure that the users count (for billing) looks at user account state ENABLED

Phase 1 — SSO Configuration

  • Create new SSO configuration.

  • Target: Operator (Operations App).

  • Select correct Operations User template (permissions only).

  • Validate routing determinism (no ambiguous matches).

  • Save configuration.

✅ No user impact yet.

Phase 2 — Pilot Users

For each pilot user:

  • Ensure email is populated (if blank).

  • Set auth_mode = SSO_PREFERRED.

  • Confirm user can still fall back to local login.

Phase 3 — Observe

  • Monitor SSO Event Log:

    • Binding success

    • Provisioning failures

    • Assertion validation failures

  • Confirm (issuer, subject) binding occurred.

  • Confirm no duplicate users created.

Phase 4 — Gradual Rollout

  • Expand SSO_PREFERRED to more users.

  • Verify users complete first SSO login before enforcement.

Phase 5 — Enforce (Optional)

  • Validate deterministic routing for each user/group.

  • Switch auth_mode to SSO_REQUIRED.

  • Confirm no lockouts.

Phase 6 — SCIM De-Provisioning (Optional)

  • Enable SCIM integration on SSO config.

  • Set scim_deprovisioning_enabled = true.

  • Validate:

    • Existing linked user → disabled

    • Non-existent user → no-op

  • Monitor audit + runtime event log.

Rollback

  • Set affected users back to LOCAL_ONLY.

  • Disable SSO configuration or SCIM flag.

  • No data cleanup required.