Okta SCIM Setup

This guide provides the steps required to configure provisioning with Superblocks from Okta.

warning

Notes

• If you are setting up SCIM after assigning users to a Superblocks SSO app, be sure to run a full import to link the existing assigned user to the Superblocks user
• If your Superblocks SSO app uses OpenID Connect App, you'll need to create a separate provisioning-only app to handle SCIM. You'll assign users/groups to both of these applications. Learn more about how to Add a provisioning only app

Features

The following provisioning features are supported when integrating with Okta:

• Push New Users: New users created through Okta will also be created in the company’s Superblocks organization.
• Push User Deactivation: Deactivating a user through Okta will deactivate the user from the company’s Superblocks organization.
• Reactivate Users: Reactivating a user through Okta will reactivate the user in Superblocks.
• Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to Superblocks.
• Import New Users: New users created in Superblocks will be downloaded and turned into new AppUser objects, for matching against existing Okta users.
• Group Push: Groups and their members can be pushed to Superblocks.

Setup

warning

If your SSO app uses OpenID Connect, you'll need to create a separate SCIM app. Follow instructions to create a provisioning only app, then come back to configure SCIM.

Configure SCIM

1. From the Okta admin console, locate your Superblocks SSO App

2. Go to the General tab, click Edit on the App Settings

3. Check the box Enable SCIM Provisioning and click Save

4. Go to the newly enabled Provisioning tab

5. Next to SCIM Connection click Edit. Configure the connection as follows:

   Field	Value
   SCIM connector base URL	US: https://app.superblocks.com/scim/v2 EU: https://eu.superblocks.com/scim/v2
   Unique identifier field for users	email
   Supported provisioning actions	Select all of the provisioning actions
   Authentication Mode	HTTP Header
   Authorization	Access token with Org Admin privileges

6. Test the connection and click Save

7. You should see two new settings To App and To Okta. Click To App

8. Click Edit and configure your provisioning options. Note: Sync Password is not supported

9. Click Save

10. Optionally, configure attribute mappings to assign user roles via SCIM

Add a provisioning only app

If your Superblocks SSO app in Okta uses OpenID Connect, you'll need to set up a separate app for SCIM. The easiest way to do this is to set up a separate Secure Web Authentication (SWA) App. This app will not be used by your users to sign-in to Superblocks, it will just be used for provisioning/group management.

To configure an SWA app:

1. From the Okta admin console, click Applications → Applications
2. Click Create App Integration
3. Select SWA - Secure Web Authentication
4. Name the app and enter https://app.superblocks.com as the login URL
5. Click Finish. You can now continue to configure SCIM for Superblocks

info

Note that users will not be able to log in through this app so you should make sure you're not showing this app to users on the Okta launch page.

Import existing users

With SCIM configured, you should run an import of existing users from your Superblocks organization to Okta so you can link your Okta users to their Superblocks account.

1. From your Superblocks SCIM app in Okta, click on the Import tab.
2. Click Import Now which will import all users from your existing Superblocks account.
3. Choose how you want Okta to import each user. Options include:
   • Link to EXACT Okta user match: links the Superblocks user to an existing user in Okta.
   • Link to NEW Okta user: creates a new user in Okta and links the Superblocks user to the new user
   • IGNORE this user for now: leave the user in Superblocks and doesn't link them to an Okta user. Superblocks users that are not linked to a user in Okta will need to be managed from Superblocks. Learn more about Managing Users
   
4. Click Confirm Assignments to finish the import

Configure user attributes

Certain user attributes in Okta can by synced to your Superblocks users' profiles.

Supported user attributes

The Superblocks SCIM API currently supports the following attributes:

SCIM User Attribute	Superblocks User Attribute	Description
emails	Global.user.email	Email identifier used to log in to Superblocks.
displayName	Global.user.name	The text shown in Superblocks when referring to the user.
name.givenName	Global.user.name	First name of the user. Concatenated with name.familyName if displayName is not provided.
name.familyName	Global.user.name	Last name of the user. Concatenated with name.givenName if displayName is not provided.
groups	Global.user.groups	List of groups to which the user belongs.
active	N/A	Disables the user when set to FALSE
role	N/A	The user's organization role. Defaults to null. If not set, the default role for the organization will be used.

Create custom role attribute

All of the supported attributes listed above except role are supported by default in the Okta user profile. You can manage a user's organization role via SCIM by configuring a custom attribute in Okta.

Roles can be assigned to users, or you can scale role management by assigning roles based on the Okta group a user is in. To learn more about how Okta manages syncing attributes via SCIM, read Okta's Attribute Mapping documentation.

To create a custom attribute for your Superblocks user roles:

1. Go to your Superblocks SCIM app in Okta

2. Click on the Provisioning tab

3. In the To App settings, scroll down to the section labeled Superblocks Attribute Mappings

4. Click Go to Profile Editor

5. Click Add Attribute

6. Fill in the attribute configuration as follows:

   Field	Value
   Data type	string
   Display name	Superblocks Role (customizable)
   Variable name	superblocks_role (customizable)
   External name	role
   External namespace	urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
   Enum	Checked

7. In the Attribute members list include the following:

   Display name	Value
   Owner	owner
   Admin	admin
   Developer	developer
   End-user	end_user

   info

   The value field should correspond to the key of organization role you want to assign. You can find the key of any of your custom roles, by going to the Roles & Permissions page in Superblocks, selecting the role, and clicking Edit details.

8. For Attribute type select either Personal or Group. To learn more about these types, see Personal vs Group attribute types

9. Click Save

success

Now that you've created the custom attribute, it will show up when you assign users or groups to the Superblocks SCIM app. Import users from Superblocks to sync to Okta the currently assigned role in Superblocks.

You can also map Okta attributes to app attributes by configuring mapping rules.

Personal vs Group attribute types

When assigning roles in Okta via SCIM, you'll need to choose whether to manage roles for each user individually or in groups. Here's the difference:

• Personal: You'll decide what role to give each user when assigning them to the Superblocks SCIM app. Alternatively, you can create custom mapping rules to set the role based on other user attributes in Okta.

• Group: You'll decide what role to associate with each Okta group assigned to the Superblocks SCIM app. You'll then prioritize your groups. When a user is added to one or more of the assigned Okta groups, the role they receive in Superblocks will be based on the group priorities.

Manage groups with SCIM

Optionally, you can set up Okta to manage Superblocks Groups and their members. If this is not configured, new users added through Okta will not be assigned to any custom groups in Superblocks. To sync an Okta group with a Superblocks group:

1. From the Superblocks app in Okta, go to the Push Groups tab
2. Click Push Groups → Find groups by name
3. Enter the name of the Okta group you want to sync with Superblocks
4. Okta will try to automatically match the Okta group to a group in Superblocks based on the name. If there is no corresponding group in Superblocks select Create Group, otherwise select Link Group and choose the Superblocks group you want to sync with.
   
5. Click Save. This will either create a new group in Superblocks or link the group to an existing Okta group. If you choose to Push group memberships immediately, users who are members of the group in Okta will be added to the Superblocks group and receive access to any Applications, Workflows, or Scheduled Jobs associated with that Superblocks group.

Once group push is configured, when you create a new Superblocks user from Okta, or change which groups they’re in within Okta, they’ll be automatically added or removed from Superblocks groups that you’ve synced.

info

Note: Once group push is configured, all user membership changes should be made from Okta. Changing group membership in Superblocks can cause synchronization issues with Okta.