Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

SCIM through Okta

This guide walks you through configuring SCIM provisioning between Okta and StackAI. Once set up, user creation, profile updates, deactivations, and role mapping flow automatically from Okta into your StackAI organization.

Before you start

  • SAML SSO between Okta and StackAI must already be configured (this guide assumes the StackAI SAML app integration already exists in Okta).

  • You need admin access in both StackAI and your Okta org.

1

Select Okta as the identity provider in StackAI

In StackAI, open the SSO and Provisioning page (under Security in the left sidebar). Under SCIM Provisioning → Configuration, set Identity Provider to Okta.

2

Open the StackAI app in Okta and edit App Settings

In Okta, go to Applications → Applications and open the StackAI app (the SAML integration created when you set up SSO). On the General tab, click Edit next to App Settings.

3

Enable SCIM provisioning and save

In Provisioning, select SCIM, then save the changes.

4

Open the new Provisioning tab

After saving, a new Provisioning tab appears in the StackAI app. Click it.

5

Edit the SCIM Connection

In the Provisioning tab, under Settings → Integration, click Edit next to SCIM Connection.

6

Copy the SCIM Base URL from StackAI

Back in StackAI, on the SSO and Provisioning page, find Provisioning Link → SCIM Base URL and copy the URL.

7

Paste the SCIM Base URL into Okta and configure the connection

In Okta's SCIM Connection editor, fill in:

  • SCIM connector base URL — paste the URL you just copied from StackAI.

  • Unique identifier field for usersuserName

  • Supported provisioning actions — check all of:

    • Import New Users and Profile Updates

    • Push New Users

    • Push Profile Updates

    • Push Groups

    • Import Groups

  • Authentication ModeHTTP Header

8

Create a SCIM token in StackAI

Back in StackAI, under SCIM Provisioning → Bearer Tokens, click + Create Token. Give it a name (e.g. Okta Token) and optionally set an expiration date, then click Create Token.

9

Copy the bearer token

Copy the generated token. It is only shown once — store it securely.

10

Paste the token in Okta, test, and save

Back in the Okta SCIM Connection editor, paste the bearer token into the Authorization field (next to Bearer). Click Test Connector Configuration to confirm everything works, then click Save.

11

Edit "Provisioning to App" settings

Still in the Provisioning tab, switch to Settings → To App in the left rail and click Edit.

12

Enable all provisioning actions

Enable every option:

  • Create Users

  • Update User Attributes

  • Deactivate Users

  • Sync Password

Then save.

13

Add role mappings in StackAI

In StackAI, under SCIM Provisioning → Role Mappings, click + Add Mapping. For each mapping, set:

  • IdP Role Value — the role name exactly as you will write it in Okta (e.g. Admin).

  • Organization Role — the matching StackAI role (e.g. Admin).

Repeat for every role you plan to assign through Okta. The IdP Role Value must match exactly what you'll enter in Okta in step 17.

14

Add a Role attribute to the Okta profile

In Okta, go to Directory → Profile Editor, open the StackAI User profile, and click + Add Attribute.

15

Configure the Role attribute

Fill the form with these exact values so the role pushed from Okta is mapped correctly to StackAI:

Field
Value

Data type

string

Display name

Role

Variable name

stackaiRole

External name

roles.^[primary==true].value

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Description

(leave blank)

Enum

(leave unchecked)

Attribute length

Between (leave min/max blank)

Attribute required

(leave unchecked)

Attribute type

Personal

Click Save.

16

Assign people to StackAI from Okta

Go back to Applications → StackAI and open the Assignments tab. Click Assign and choose Assign to People (or Assign to Groups) to grant access to members of your org.

17

Set the Role field when assigning a user

When assigning a person, scroll down to the Role field and enter the role name exactly as you mapped it in StackAI in step 13 (e.g. Admin). This is what determines the user's role in StackAI.

18

Import existing StackAI members into Okta

Open the Import tab on the StackAI app in Okta and click Import Now to pull existing StackAI users into Okta. Confirm matches as needed.

You're done

SCIM provisioning is now active. From this point on:

  • New users assigned to StackAI in Okta are created automatically in StackAI with the role you set.

  • Profile and role changes in Okta sync to StackAI.

  • Unassigning a user in Okta (or deactivating them) deactivates them in StackAI.

If something doesn't sync as expected, check View Logs / Monitor Imports at the top of the StackAI app in Okta, and the Audit Logs page in StackAI.

PreviousSystem for Cross-Domain Identity Management (SCIM)NextSCIM through Entra

Last updated

Was this helpful?