# IdP Configuration - Okta

SingleStore SCIM supports Okta with the SCIM 2.0 protocol and Okta custom application integrations. This applies only to **Custom applications**, not Okta Integration Network (OIN) applications. Refer to [Create custom app integrations](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard.htm) for more information on creating custom applications.

## Prerequisites

* RBAC authorization for the Organization Team feature.
* RBAC user sync for the Engine RBAC at SingleStore database level.

## Configure SCIM Provisioning

1. On the Okta Portal, select **General** tab.

2. Navigate to **App Settings** and select **Edit**.

3. Select **Provisioning > SCIM > Save**.

4. In the **Provisioning** tab, select **Settings > Integration > Edit**.

5. Enter the endpoint URL from SingleStore SCIM configuration in **SCIM connector base URL**.

6. Enter **userName** in **Unique identifier field for users**.

7. Select the following in **Supported provisioning actions**:

   1. **Push New Users**

   2. **Push Profile Updates**

   3. **Push Groups**

8. Select **HTTP Header** in **Authentication Mode**.

9. Enter the secret token from SingleStore SCIM configuration in **Authorization**.

10. Select **Test Connector Configuration**. Okta displays the test results.

    ![Displays the Test connector configuration results in Okta.](https://images.contentstack.io/v3/assets/bltac01ee6daa3a1e14/blt21753e7810b69a40/6a3330291599186788901c48/oktatestresults-So7ACf.png)

11. Navigate to **Provisioning > To App**.

12. Select **Edit** to enable the following:

    1. **Create Users**

    2. **Update User Attributes**

    3. **Deactivate Users**

## Remarks

* Unlinking a group without deleting it in the target application generates an error when pushing a group with the same name.
* Okta separates provisioning into two categories:

  * **Assignments** for user information.
  * **Push Groups** for group information.

  To sync groups and memberships, add the group in **Push Groups** after assigning it in **Assignments**
* When changing the SCIM endpoint in the same Okta app integration, SingleStore does not recommend deleting groups in the target application before removing them from **Push Groups**. Otherwise, Okta throws an error for updates to the SCIM endpoint instead of creating groups in the new (empty) SCIM endpoint..
* If the SCIM endpoint is changed, reset or refresh the SCIM configuration in Okta.
* The primary email is the unique identifier in SingleStore organization, changing it triggers an update to the user matched to the new primary email in Okta.

***

Modified at: May 29, 2026

Source: [/cloud/security/portal-access/scim-user-provisioning/idp-configuration-okta/](https://docs.singlestore.com/cloud/security/portal-access/scim-user-provisioning/idp-configuration-okta/)

(An index of the documentation is available at /llms.txt)