IdP Configuration - Okta

SingleStore SCIM supports Okta with the SCIM 2.0 protocol and Okta custom application integrations. This applies only to Custom applications, not Okta Integration Network (OIN) applications. Refer to Create custom app integrations for more information on creating custom applications.

Prerequisites

  • RBAC authorization for the Organization Team feature.

  • RBAC user sync for the Engine RBAC at SingleStore database level.

Configure SCIM Provisioning

  1. On the Okta Portal, select General tab.

  2. Navigate to App Settings and select Edit.

  3. Select Provisioning > SCIM > Save.

  4. In the Provisioning tab, select Settings > Integration > Edit.

  5. Enter the endpoint URL from SingleStore SCIM configuration in SCIM connector base URL.

  6. Enter userName in Unique identifier field for users.

  7. Select the following in Supported provisioning actions:

    1. Push New Users

    2. Push Profile Updates

    3. Push Groups

  8. Select HTTP Header in Authentication Mode.

  9. Enter the secret token from SingleStore SCIM configuration in Authorization.

  10. Select Test Connector Configuration. Okta displays the test results.

    Displays the Test connector configuration results in Okta.
  11. Navigate to Provisioning > To App.

  12. Select Edit to enable the following:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

Remarks

  • Okta separates provisioning into two categories:

    • Assignments for user information.

    • Push Groups for group information.

    To sync groups and memberships, add the group in Push Groups after assigning it in Assignments

  • When changing the SCIM endpoint in the same Okta app integration, SingleStore does not recommend deleting groups in the target application before removing them from Push Groups. Otherwise, Okta throws an error for updates to the SCIM endpoint instead of creating groups in the new (empty) SCIM endpoint..

  • If the SCIM endpoint is changed, reset or refresh the SCIM configuration in Okta.

  • The primary email is the unique identifier in SingleStore organization, changing it triggers an update to the user matched to the new primary email in Okta.

Last modified: December 16, 2024

Was this article helpful?