/
Contact usSee pricingStart building

    About B2B Saas Authentication

    Introduction
    Stytch B2B Basics
    Integration Approaches
      Full-stack overview
      Frontend (pre-built UI)
      Frontend (headless)
      Backend
    Next.js
      Routing
      Authentication
      Sessions
    Migrations
      Overview
      Reconciling data models
      Migrating user data
      Additional migration considerations
      Zero-downtime deployment
      Defining external IDs for members
      Exporting from Stytch
    Custom Domains
      Overview

    Authentication

    Single Sign On

    • Resources

        • Overview
        External SSO Connections

    • Integration Guides

        • Start here
        Backend integration guide
        Headless integration guide
        Pre-built UI integration guide
    OAuth

    • Resources

        • Overview
        Authentication flows
        Identity providers
        Google One Tap
        Provider setup

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Connected AppsBeta
      Setting up Connected Apps
      About Remote MCP Servers

    • Resources

        • Integrate with AI agents
        Integrate with a remote MCP server
    Sessions

    • Resources

        • Overview
        JWTs vs Session Tokens
        How to use Stytch JWTs
        Custom Claims

    • Integration Guides

        • Start here
        Backend integration
        Frontend integration
    Email OTP
      Overview
    Magic Links

    • Resources

        • Overview
        Email Security Scanner Protections

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Multi-Factor Authentication

    • Resources

        • Overview

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
        Pre-built UI frontend integration
    Passwords
      Overview
      Strength policies
    UI components
      Overview
      Implement the Discovery flow
      Implement the Organization flow
    DFP Protected Auth
      Overview
      Setting up DFP Protected Auth
      Handling challenges
    M2M Authentication
      Authenticate an M2M Client
      Rotate client secrets
      Import M2M Clients from Auth0

    Authorization & Provisioning

    RBAC

    • Resources

        • Overview
        Stytch Resources & Roles
        Role assignment

    • Integration Guides

        • Start here
        Backend integration
        Headless frontend integration
    SCIM

    • Resources

        • Overview
        Supported actions

    • Integration Guides

        • Using Okta
        Using Microsoft Entra
    Organizations
      Managing org settings
      JIT Provisioning

    Testing

    E2E testing
    Sandbox values
Get support on SlackVisit our developer forum

Contact us

B2B Saas Authentication

/

Guides

/

Authorization & Provisioning

/

SCIM

/

Integration Guides

/

Using Okta

Setting up SCIM with Okta

SCIM requests are sent from a workforce IdP to Stytch, so the first step is to create a test instance with a popular workforce IdP like Okta.

Adding SCIM to SAML app

1
Enable SCIM provisioning for app

If you already have an existing SAML application in Okta, you can enable SCIM provisioning for this application by navigating to the General tab of the application and checking “Enable SCIM Provisioning” under the app settings.

Enable SCIM for an existing Okta SAML App

Save this change.

2
Create SCIM Connection in Stytch

Create a SCIM Connection in Stytch (using the dashboard or the Create SCIM Connection API) with okta as the IdP.

Create SCIM Connection in Stytch Dashboard

Click save and you'll create a SCIM Connection with a Base URL and Bearer Token.

Stytch Okta SCIM Connection Credentials

Leave this tab open and navigate back to Okta to input the returned credentials.

3
Configure Okta SCIM settings

Navigate to the new “Provisioning” tab in the application view of Okta. Edit the SCIM Connection settings and change the Authentication mode to HTTP Header. Copy the Stytch SCIM Connection BaseURL into the “SCIM connector base URL” field and copy the returned HTTP Bearer Token into the HTTP Header Authorization Bearer Token field.

Set the Unique identifier to userName and select all Push provisioning actions.

Your connection settings should look as follows:

Expected SCIM Configuration for existing SAML App

Save.

4
Provision users

Once saved, you can test the SCIM integration by Assigning/Removing people from the application and seeing these changes propagate to your Stytch Member records. You can also configure Webhooks to receive notifications in your system when changes occur.

5
(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, you can configure webhooks.

Standalone SCIM app

1
Create SCIM app

If you haven’t already configured a SAML application, you can create a standalone SCIM Application by navigating to Applications → Browse App Catalog and searching for “SCIM 2.0 Header Auth” and selecting the following application.

Search App Catalog for SCIM

You will be prompted to name your application

Name your standalone SCIM app

2
Update SCIM configuration settings

On the Sign-on Options tab scroll to the bottom, and under Credential Details change the application username format to use email.

Use email for username in SCIM app

You can then save the application and navigate to the Provisioning tab and click Configure API Integration.

3
Create Stytch SCIM Connection

Create a new SCIM Connection in Stytch in the dashboard with okta as the IdP. by navigating to Organizations then clicking your desired Organization and configuring the connection in the Configure SCIM Connection section.

Create SCIM Connection in Stytch DashboardStytch Okta SCIM Connection Credentials

4
Input SCIM credentials into Okta

Back in the Okta admin dashboard, input the returned BaseURL and set the API Token to Bearer ${returned_bearer_token}.

Stand alone SCIM app credentials

You will then be able to select which actions to send via SCIM.

Enable SCIM actions to send from Okta

5
Provision users

Once saved, you can test the SCIM integration by Assigning/Removing people from the application and seeing these changes propagate to your Stytch Member records. To notify your own system of changes that occur via SCIM, you can configure webhooks.

6
(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, you can configure webhooks.

Adding SCIM to SAML app

1.

Enable SCIM provisioning for app

2.

Create SCIM Connection in Stytch

3.

Configure Okta SCIM settings

4.

Provision users

5.

(Optional) Configure webhooks

Standalone SCIM app

1.

Create SCIM app

2.

Update SCIM configuration settings

3.

Create Stytch SCIM Connection

4.

Input SCIM credentials into Okta

5.

Provision users

6.

(Optional) Configure webhooks