Okta - Configuring SCIM User Provisioning

Learn how to configure SCIM with Okta to provision users to your Staffbase platform automatically.

Employee App
Front Door Intranet

In this article, you will learn how to set up SCIM using Okta as the identity provider.

SCIM allows you to provision users to the Staffbase platform using an identity provider. Learn more.

SCIM is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

  • The SCIM feature is activated for your organization in the Staffbase platform. If not, contact your Customer Success Manager.
  • You have access to the Okta Admin Console.
  • You need to be able to add/manage applications in Okta.
    The administrator adding an app integration must be a super admin for the Okta organisation. After the app integration is added to the Okta organisation, app admins can configure and assign the app integration to the appropriate users and groups. Read more on Standard administrator roles and permissions here.
  • You have an existing SSO/SAML configuration in Okta in order to configure it for the Staffbase platform.
  • You have the SCIM endpoint URL for your Staffbase platform. The URL has the following format: https://<your-domain>/scim
  • You have generated an API token with administrative access via the Staffbase Studio.

Edit existing app integration

You need to extend your existing App Integration in Okta for Staffbase to add SCIM provisioning.

  1. In the Okta Dashboard or Admin Console, go to Applications > Applications.
Okta Application Menu
  1. Select your existing application for the Staffbase SSO/SAML configuration by filtering the overview and clicking on the name.
Okta Application Overview
  1. On the General tab, under App Settings, click Edit .
Okta Application General Settings
  1. For Provisioning, select SCIM, and click Save.
Okta Application General Settings Edit
  1. On the Provisioning tab, click Edit.
Okta Provisioning
  1. Under SCIM Connection, provide the following SCIM details:
Okta SCIM Settings
  • SCIM connector base URL: Enter the SCIM endpoint URL for your Staffbase platform.
    For example, the URL uses the following format: https://<your-domain>/scim
  • Unique identifier field for users: Provide a unique identifier Okta field name.
    For example, email or userName.
    Okta uses the configured unique identifier to look up the existence of a user in Staffbase. The configured unique identifier is passed into the username field in Staffbase

    The externalID or ID known in Staffbase cannot be set. This will always be the Okta ID (unique internal Okta ID, not userName or email).

    Note: If the userName (Okta) contains a value in an email format (with @), the userName in Staffbase will convert it to [at] and the synchronization will still work.
  • Supported provisioning actions: Select Push New Users and Push Profile Updates for user provisioning. Push Groups is also supported.
  • Authentication Mode: Select HTTP Header.
  • Authorization (Bearer): Enter the API token generated from the Staffbase Studio.
    To get this option, you must first select the HTTP Header option for Authentication Mode.
  1. Click Test Connector Configuration to verify the settings.
Okta SCIM Test Connection

As the import functions are yet to be configured, they will appear in red.

  1. If the test was successful, and after a short page reload, you will see a new entry in the Settings: To App.
Okta SCIM Test Connection

Defining the mapping for user provisioning

After creating automatic user provisioning, you need to define the mapping for the provisioning by mapping the attribute to a value. In this, the attribute is the attribute of the user in Okta. The value is the attribute of the user that is sent from Okta to the Staffbase platform.

For an overview of default attribute mappings, see SCIM Default Attribute Mappings.
In this guide, only a minimum mapping to get you started is shown.
You can create more mappings based on your business needs.

Before you enable SCIM, take a look at the attribute mappings below. Since you have a lot of default mappings configured, we recommend removing everything except user.firstName, user.lastName, and user.email.

To add additional custom attributes, see the Custom Attributes article.

Okta SCIM Test Connection

Assigning users

Since the configuration is done in the same app integration as the SSO/SAML configuration, the same assignment applies.

Provisioning users automatically

At the top of the Provisioning > To App screen, you can now enable SCIM to start provisioning:

  1. Click Edit.
Okta SCIM Test Connection
  1. Enable Create Users, Update User Attributes and Deactivate Users and click on Save
Okta SCIM Test Connection

You have automatically provisioned users assigned to the app integration.

Deprovisioning users

If an admin deprovisions a user inside Okta, the user inside your Staffbase instance is updated with active=false, thereby deactivating the user in Staffbase.

Okta doesn't send a request to delete the user.
You can either delete deactivated users manually within Staffbase Studio or utilize our User API to Delete All Deactivated User Accounts.

Learn more about deprovisioning and understand the different scenarios that trigger a deactivation.

Provisioning groups

If you did not enable Push Groups in step 6 of the Edit Application above, this is the first step to start with.

Okta SCIM Settings

Once Push Groups is enabled, you can add the groups you want to provision to Staffbase by navigating to the Push Groups tab.

Okta Push Groups
  1. Click on Push Groups > Find groups by name.
Select Find Groups
  1. Search your group of choice, select Push group memberships immediately and click Save.
Search Group
  1. Okta will immediately begin pushing the group to Staffbase. You may shortly see the status of the push as Pushing. When it is done, it should change to Active.
Group Status

In the Staffbase platform, the groups will always be a Manual Internal Group.

Group Status

Additional helpful information