Learn how to configure SCIM with Okta to provision users to your Staffbase platform automatically.
In this article, you will learn how to set up SCIM using Okta as the identity provider.
SCIM allows you to provision users to the Staffbase platform using an identity provider. Learn more.
SCIM is optional for user management. You can choose an option based on your business requirements. Learn more about other options.
- The SCIM feature is activated for your organization in the Staffbase platform. If not, contact your Customer Success Manager.
- You have access to the Okta Admin Console.
- You need to be able to add/manage applications in Okta.
The administrator adding an app integration must be a super admin for the Okta organisation. After the app integration is added to the Okta organisation, app admins can configure and assign the app integration to the appropriate users and groups. Read more on Standard administrator roles and permissions here. - You have an existing SSO/SAML configuration in Okta in order to configure it for the Staffbase platform.
- You have the SCIM endpoint URL for your Staffbase platform. The URL has the following format:
https://<your-domain>/scim - You have generated an API token with administrative access via the Staffbase Studio.
You need to extend your existing App Integration in Okta for Staffbase to add SCIM provisioning.
- In the Okta Dashboard or Admin Console, go to Applications > Applications.
- Select your existing application for the Staffbase SSO/SAML configuration by filtering the overview and clicking on the name.
- On the General tab, under App Settings, click Edit .
- For Provisioning, select SCIM, and click Save.
- On the Provisioning tab, click Edit.
- Under SCIM Connection, provide the following SCIM details:
- SCIM connector base URL: Enter the SCIM endpoint URL for your Staffbase platform.
For example, the URL uses the following format:https://<your-domain>/scim - Unique identifier field for users: Provide a unique identifier Okta field name.
For example, email or userName.Okta uses the configured unique identifier to look up the existence of a user in Staffbase. The configured unique identifier is passed into the username field in Staffbase
The externalID or ID known in Staffbase cannot be set. This will always be the Okta ID (unique internal Okta ID, not userName or email).
Note: If the userName (Okta) contains a value in an email format (with@), the userName in Staffbase will convert it to[at]and the synchronization will still work. - Supported provisioning actions: Select Push New Users and Push Profile Updates for user provisioning. Push Groups is also supported.
- Authentication Mode: Select HTTP Header.
- Authorization (Bearer): Enter the API token generated from the Staffbase Studio.
To get this option, you must first select the HTTP Header option for Authentication Mode.
- Click Test Connector Configuration to verify the settings.
As the import functions are yet to be configured, they will appear in red.
- If the test was successful, and after a short page reload, you will see a new entry in the Settings: To App.
After creating automatic user provisioning, you need to define the mapping for the provisioning by mapping the attribute to a value. In this, the attribute is the attribute of the user in Okta. The value is the attribute of the user that is sent from Okta to the Staffbase platform.
For an overview of default attribute mappings, see SCIM Default Attribute Mappings.
In this guide, only a minimum mapping to get you started is shown.
You can create more mappings based on your business needs.
Before you enable SCIM, take a look at the attribute mappings below. Since you have a lot of default mappings configured, we recommend removing everything except user.firstName, user.lastName, and user.email.
To add additional custom attributes, see the Custom Attributes article.
Since the configuration is done in the same app integration as the SSO/SAML configuration, the same assignment applies.
At the top of the Provisioning > To App screen, you can now enable SCIM to start provisioning:
- Click Edit.
- Enable Create Users, Update User Attributes and Deactivate Users and click on Save
You have automatically provisioned users assigned to the app integration.
If an admin deprovisions a user inside Okta, the user inside your Staffbase instance is updated with active=false, thereby deactivating the user in Staffbase.
Okta doesn't send a request to delete the user.
You can either delete deactivated users manually within Staffbase Studio or utilize our User API to Delete All Deactivated User Accounts.
Learn more about deprovisioning and understand the different scenarios that trigger a deactivation.
If you did not enable Push Groups in step 6 of the Edit Application above, this is the first step to start with.
Once Push Groups is enabled, you can add the groups you want to provision to Staffbase by navigating to the Push Groups tab.
- Click on Push Groups > Find groups by name.
- Search your group of choice, select Push group memberships immediately and click Save.
- Okta will immediately begin pushing the group to Staffbase. You may shortly see the status of the push as Pushing. When it is done, it should change to Active.
In the Staffbase platform, the groups will always be a Manual Internal Group.
