Okta SCIM Configuration

Configure Okta SCIM provisioning for RudderStack.

This guide lets you configure Okta’s SCIM provisioning feature to automatically grant RudderStack access to your users. It is divided into the following sections:

Supported features

Currently, RudderStack supports the following provisioning features:

  • Push users: You can create or link a user in RudderStack when assigning the app to a user in Okta.
  • Update user attributes: Okta updates a user’s attributes in RudderStack when the app is assigned to them. Note that any future attribute changes made to the Okta user’s profile will automatically overwrite the corresponding attribute value in RudderStack.
info
Currently, you can only update the user’s display name. Updating the email is not supported.
  • Deactivate/reactivate users: This feature deactivates a user’s RudderStack account when it is unassigned in Okta or their Okta account is deactivated. To reactivate the account, you can reassign the app to the user in Okta.
info
When a user is deactivated through SCIM, RudderStack does not delete the user from its database; it only revokes their organization user role leading to the loss of their workspace access.

Requirements

Generate an organization-level service access token in the RudderStack workspace for which you want to enable SCIM.

warning

It is important that your user role and service access token has admin privileges.

Otherwise, your SCIM provisioning tasks will fail.

Configuration steps

  1. Log in to Okta as an administrator.
  2. In the sidebar, go to Applications > Applications and select your SSO app configured with SAML 2.0.
warning
Make sure that the Application username format in your app is set to Email. See the SSO setup instructions guide for more information.
  1. In the app settings, go to the Provisioning tab and and click Configure API Integration.
  2. Check the Enable API Integration setting.
  3. In the API Token field, enter the service access token you generated above.
SCIM configuration
  1. Click Save to finish the configuration.
info

Note that:

  • If you have already added or assigned users to your SSO app, make sure to reassign them after completing the SCIM configuration. Otherwise, you will see a red exclamation symbol next to such users.

  • Your SCIM app needs the following permissions for the admin to be able to manage (add, update, or, deactivate) the users:

    • Create Users
    • Update User Attributes
    • Deactivate Users

    The RudderStack app (in the Okta gallery) comes preconfigured with these permissions turned on by fault. Do not remove these permissions while setting up your SCIM app.

Known issues

RudderStack does not support the following SCIM features currently:

FeatureComments
Importing users-
Importing groupsSupport for SCIM group operations is coming soon.
Pushing groupsSupport for SCIM group operations is coming soon.
Removing usersThe user account is deactivated (disabled) instead as it achieves the same outcome.
Syncing passwordsAs SCIM is implemented after SSO, there is no need for a password for SSO authentication.
Enhanced group push-

Questions? Contact us by email or on Slack