Okta SCIM Configuration

Configure Okta SCIM provisioning for RudderStack.

3 minute read

This guide lets you configure Okta’s SCIM provisioning feature to automatically grant RudderStack access to your users. It is divided into the following sections:

Supported features
Requirements
Configuration steps
Known issues

Supported features

Currently, RudderStack supports the following provisioning features:

Push users: You can create or link a user in RudderStack when assigning the app to a user in Okta.
Update user attributes: Okta updates a user’s attributes in RudderStack when the app is assigned to them. Note that any future attribute changes made to the Okta user’s profile will automatically overwrite the corresponding attribute value in RudderStack.

Currently, you can only update the user’s display name. Updating the email is not supported.

Deactivate/reactivate users: This feature deactivates a user’s RudderStack account when it is unassigned in Okta or their Okta account is deactivated. To reactivate the account, you can reassign the app to the user in Okta.

When a user is deactivated through SCIM, RudderStack does not delete the user from its database; it only revokes their organization user role leading to the loss of their workspace access.

Requirements

To configure the SCIM app, you need a personal access token with admin privileges.

Follow these steps to create a new personal access token:

Log in to the RudderStack workspace you want to enable SCIM for. Note that your role in the organization must of the Admin type.
Go to Settings > Your Profile > Account tab and scroll down to Personal access tokens. Then, click Generate new token:

New personal access token in RudderStack dashboard

Set an appropriate name for the token.
Select Admin from the Role dropdown.

Make sure your user role and personal access token have admin privileges, otherwise your SCIM provisioning tasks will fail.

Click Generate and save the token securely. It will not be visible again once you close this window.

Configuration steps

Log in to Okta as an administrator.
In the sidebar, go to Applications > Applications and select your SSO app configured with SAML 2.0.

Make sure that the Application username format in your app is set to Email. Refer to the SSO setup instructions guide for more information.

In the app settings, go to the Provisioning tab and and click Configure API Integration.
Check the Enable API Integration setting.
In the API Token field, enter the personal access token you generated above.

Click Save to finish the configuration.

Known issues

RudderStack does not support the following SCIM features currently:

Import users
Import groups
Push groups (coming soon)
Remove users
Sync password
Enhanced group push

RudderStack does not support removing users - this is because it uses SCIM with SAML, where removing a user from Okta implies that they also lose the ability to authenticate to RudderStack completely (logins via passwords, Google, etc. are completely blocked).
Instead, RudderStack supports deactivating the user which means they only lose access to the organization.

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Questions? Contact us by email or on Slack