Currently, RudderStack supports the following provisioning features:
Push users: You can create or link a user in RudderStack when assigning the app to a user in Okta.
Update user attributes: Okta updates a user’s attributes in RudderStack when the app is assigned to them. Note that any future attribute changes made to the Okta user’s profile will automatically overwrite the corresponding attribute value in RudderStack.
Currently, you can only update the user’s display name. Updating the email is not supported.
Deactivate/reactivate users: This feature deactivates a user’s RudderStack account when it is unassigned in Okta or their Okta account is deactivated. To reactivate the account, you can reassign the app to the user in Okta.
When a user is deactivated through SCIM, RudderStack does not delete the user from its database; it only revokes their organization user role leading to the loss of their workspace access.
Follow these steps to create a new personal access token:
Log in to the RudderStack workspace you want to enable SCIM for. Note that your role in the organization must of the Admin type.
Go to Settings > Your Profile > Account tab and scroll down to Personal access tokens. Then, click Generate new token:
Set an appropriate name for the token.
Select Admin from the Role dropdown.
Make sure your user role and personal access token have admin privileges, otherwise your SCIM provisioning tasks will fail.
Click Generate and save the token securely. It will not be visible again once you close this window.
Log in to Okta as an administrator.
In the sidebar, go to Applications > Applications and select your SSO app configured with SAML 2.0.
Make sure that the Application username format in your app is set to Email. Refer to the SSO setup instructions guide for more information.
In the app settings, go to the Provisioning tab and and click Configure API Integration.
Check the Enable API Integration setting.
In the API Token field, enter the personal access token you generated above.
Click Save to finish the configuration.
Currently, RudderStack does not support the following SCIM features:
Push groups (will be supported in the future)
Enhanced group push
RudderStack does not support removing users. This is because it uses SCIM with SAML, where removing a user from Okta implies that they also lose the ability to authenticate to RudderStack completely (logins via passwords, Google, etc. are completely blocked). Instead, RudderStack supports deactivating the user which means they only lose access to the workspace.
cookies, the cookies that are categorized as necessary are stored on your browser as they are as
for the working of basic functionalities of the website. We also use third-party cookies that
analyze and understand how you use this website. These cookies will be stored in your browser
consent. You also have the option to opt-out of these cookies. But opting out of some of these
have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This
category only includes cookies that ensures basic functionalities and security
features of the website. These cookies do not store any personal information.
learn more about cookies and why we use them, visit our cookie
policy. We'll assume you're ok with this, but you can opt-out if you wish Cookie Settings.