Okta SCIM Setup
This guide provides the steps required to configure provisioning with Superblocks from Okta.
Features
The following provisioning features are supported when integrating with Okta:
- Push New Users: New users created through Okta will also be created in the company’s Superblocks organization.
- Push User Deactivation: Deactivating a user through Okta will deactivate the user from the company’s Superblocks organization.
- Reactivate Users: Reactivating a user through Okta will reactivate the user in Superblocks.
- Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to Superblocks.
- Import New Users: New users created in Superblocks will be downloaded and turned into new AppUser objects, for matching against existing Okta users.
- Group Push: Groups and their members can be pushed to Superblocks.
Setup Integration
Configure provisioning in Okta using instructions below based on how Superblocks SSO is set up.
Superblocks SSO uses SAML
- From the Okta admin dashboard, click Applications → Applications
- Select your company’s active Superblocks app that uses SAML
- Go to the General tab, click the Edit on the App Settings
- Change Provisioning to SCIM and click Save
- A new Provisioning tab will appear. Go to the Provisioning tab
- Next to SCIM Connection click Edit. Configure the connection as follows:
| Field | Value |
|---|---|
| SCIM connector base URL | https://app.superblocks.com/scim/v2 Note: if using Superblocks EU, use https://eu.superblocks.com/scim/v2 |
| Unique identifier field for users | |
| Supported provisioning actions | Select the actions you want to configure with SCIM |
| Authentication Mode | HTTP Header |
| HTTP Header Authorization | Access token with Org Admin privileges |
- Test the connection and click Save
- Once credentials are configured you should see two new settings To App and To Okta. Click on the To App settings
- Click Edit and configure your provisioning options
Note: Sync Password is not supported
Superblocks SSO uses OIDC or SSO isn't configured
To set up automated provisioning in Okta if you currently use OIDC for Superblocks SSO or have not configured SSO to Superblocks from Okta, configure as follows:
- From the Okta admin dashboard, click Applications → Applications
- Click Browse App Catalog
- Search SCIM and select SCIM 2.0 Test App (OAuth Bearer Token)
- On the application page click + Add Integration
- Name the SCIM integration and click Next
- Under the Sign on methods section select Secure Web Authentication
- Under Credential Details change Application username format to Email and click Done
- Once the application has been created go the the Provisioning tab
- Click Configure API Integration → Enable API Integration
- Configure the integration as follows:
| Field | Value |
|---|---|
| SCIM 2.0 Base URL | https://app.superblocks.com/scim/v2 Note: if using Superblocks EU, use https://eu.superblocks.com/scim/v2 |
| OAuth Bearer Token | Access token with Org Admin privileges |
- Test credentials and Save
- Once credentials are configured you should see two new settings To App and To Okta. Click on the To App settings
- Click Edit and configure your provisioning options.
Note: Sync Password is not supported
Import existing users
Now that SCIM is configured for provisioning, you’ll want to run a full import of existing users in your Superblocks organization to link your Okta users to their Superblocks account.
- From your Superblocks SCIM app in Okta, click on the Import tab.
- Click Import Now which will import all users from your existing Superblocks account.
- Choose how you want Okta to import each user. Options include:
- Link to EXACT Okta user match: links the Superblocks user to an existing user in Okta.
- Link to NEW Okta user: creates a new user in Okta and links the Superblocks user to the new user
- IGNORE this user for now: leave the user in Superblocks and doesn't link them to an Okta user. Superblocks users that are not linked to a user in Okta will need to be managed from Superblocks. Learn more about Managing Users
- Click Confirm Assignments to finish the import
Manage Superblocks users
Once existing Superblocks users have been imported to your Superblocks app in Okta, you’re ready to have Okta manage users in Superblocks. For more information about assigning users to SCIM Applications in Okta see:
When a user is first assigned to Superblocks using Okta, a new account will be created for them in Superblocks. Superblocks will send an invite to the primary email associated with their Okta account with instructions for how to sign-in to Superblocks.
Manage Superblocks groups
Optionally, you can set up Okta to manage Superblocks Groups and their members. If this is not configured, new users added through Okta will not be assigned to any custom groups in Superblocks. To sync an Okta group with a Superblocks group:
- From the Superblocks app in Okta, go to the Push Groups tab
- Click Push Groups → Find groups by name
- Enter the name of the Okta group you want to sync with Superblocks
- Okta will try to automatically match the Okta group to a group in Superblocks based on the name. If there is no corresponding group in Superblocks select Create Group, otherwise select Link Group and choose the Superblocks group you want to sync with.
- Click Save. This will either create a new group in Superblocks or link the group to an existing Okta group. If you choose to Push group memberships immediately, users who are members of the group in Okta will be added to the Superblocks group and receive access to any Applications, Workflows, or Scheduled Jobs associated with that Superblocks group.
Once group push is configured, when you create a new Superblocks user from Okta, or change which groups they’re in within Okta, they’ll be automatically added or removed from Superblocks groups that you’ve synced.
Note: Once group push is configured, all user membership changes should be made from Okta. Changing group membership in Superblocks can cause synchronization issues with Okta.