Setting up SCIM with Okta

SCIM requests are sent from a workforce IdP to Stytch, so the first step is to create a test instance with a popular workforce IdP like Okta.

1Enable SCIM provisioning for app

If you already have an existing SAML application in Okta, you can enable SCIM provisioning for this application by navigating to the General tab of the application and checking “Enable SCIM Provisioning” under the app settings.

Enable SCIM for an existing Okta SAML App

Save this change.

2Create SCIM Connection in Stytch

Create a SCIM Connection in Stytch (using the dashboard or the Create SCIM Connection API) with okta as the IdP.

Create SCIM Connection in Stytch Dashboard

Click save and you'll create a SCIM Connection with a Base URL and Bearer Token.

Stytch Okta SCIM Connection Credentials

Leave this tab open and navigate back to Okta to input the returned credentials.

3Configure Okta SCIM settings

Navigate to the new “Provisioning” tab in the application view of Okta. Edit the SCIM Connection settings and change the Authentication mode to HTTP Header. Copy the Stytch SCIM Connection BaseURL into the “SCIM connector base URL” field and copy the returned HTTP Bearer Token into the HTTP Header Authorization Bearer Token field.

Set the Unique identifier to userName and select all Push provisioning actions.

Your connection settings should look as follows:

Expected SCIM Configuration for existing SAML App

Save.

4Provision users

Once saved, you can test the SCIM integration by Assigning/Removing people from the application and seeing these changes propagate to your Stytch Member records. You can also configure Webhooks to receive notifications in your system when changes occur.

5(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, you can configure webhooks.