IdP Configuration - Okta

Prerequisites

• RBAC authorization for the Organization Team feature.

• RBAC user sync for the Engine RBAC at SingleStore database level.

Configure SCIM Provisioning

1. On the Okta Portal, select General tab.

2. Navigate to App Settings and select Edit.

3. Select Provisioning > SCIM > Save.

4. In the Provisioning tab, select Settings > Integration > Edit.

5. Enter the endpoint URL from SingleStore SCIM configuration in SCIM connector base URL.

6. Enter userName in Unique identifier field for users.

7. Select the following in Supported provisioning actions:

   1. Push New Users

   2. Push Profile Updates

   3. Push Groups

8. Select HTTP Header in Authentication Mode.

9. Enter the secret token from SingleStore SCIM configuration in Authorization.

10. Select Test Connector Configuration. Okta displays the test results.

    

11. Navigate to Provisioning > To App.

12. Select Edit to enable the following:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

Remarks

• Okta separates provisioning into two categories:

  • Assignments for user information.

  • Push Groups for group information.

  To sync groups and memberships, add the group in Push Groups and assign it in Assignments

• When changing the SCIM endpoint in the same Okta app integration, SingleStore does not recommend deleting groups in the target application before removing them from Push Groups. Otherwise, Okta throws an error for updates to the SCIM endpoint instead of creating groups in the new (empty) SCIM endpoint..

• If the SCIM endpoint is changed, reset or refresh the SCIM configuration in Okta.

• The primary email is the unique identifier in SingleStore organization, changing it triggers an update to the user matched to the new primary email in Okta.