SCIM with Okta - Stytch Docs

To test out SCIM, set up an Okta developer instance to use for this guide.

Configure a SCIM connection for a specific Organization

Adding SCIM to a SAML app
Standalone SCIM app

Enable SCIM provisioning for app

On the existing SSO SAML application in Okta, enable SCIM provisioning by navigating to the General tab of the application and checking “Enable SCIM Provisioning” under “App Settings”.

Enable SCIM for an existing Okta SAML App

Save this change.

Create SCIM Connection in Stytch

Create a SCIM Connection on the Organization in the Stytch Dashboard or the Create SCIM Connection endpoint. Select Okta as the IdP.

Once you click save, you’ll be provided with the base url and bearer token you’ll need for the next step.

Leave this tab open and navigate back to Okta to input the returned credentials.

Configure Okta SCIM settings

In the application view in Okta, navigate to the new “Provisioning” tab and:

Change the Authentication mode to HTTP Header
Copy the “BaseURL” from Stytch into the “SCIM connector base URL” field
Set the Unique identifier to userName
Under “Supported provisioning actions”, select all the “Push..” options
Copy the “HTTP Header Bearer Token” from Stytch into the “HTTP Header → Authorization” field

Your connection settings should look as follows:

Expected SCIM Configuration for existing SAML App

Save.

Provision users

Once saved, you can test the SCIM integration by assigning people to and removing people from the application.You should see the status of the member changing from active to deactivated.

(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, configure webhooks. See the full list of relevant webhooks here.

Create SCIM app

If you haven’t already configured a SAML application, create a standalone SCIM Application by

Navigate to Applications → Browse App Catalog
Search for “SCIM 2.0 Header Auth”
Select the “SCIM 2.0 Test App (Header Auth)”

Name your application:

Update SCIM configuration settings

On the “Sign-on Options” tab scroll to the bottom, and under “Credential Details” change the “Application username format” to “Email”.

Save the application, then navigate to the “Provisioning” tab and click “Configure API Integration”.

Create Stytch SCIM Connection

Create a SCIM Connection on the Organization in the Stytch Dashboard or the Create SCIM Connection endpoint. Select Okta as the IdP.

Input SCIM credentials into Okta

Back in the Okta admin dashboard, input the returned BaseURL and set the API Token to Bearer ${returned_bearer_token}.

You will then be able to select which actions to send via SCIM.

Provision users

Once saved, you can test the SCIM integration by assigning people to and removing people from the application.You should see the status of the member changing from active to deactivated.

(Optional) Configure webhooks

To notify your own system of changes that occur via SCIM, configure webhooks. See the full list of relevant webhooks here.

Next Steps

If you only have a few customers who require SCIM connections, you can manage them by hand in the Stytch Dashboard. However, as your enterprise customer base grows, you may want to build a UI in your application to allow admins of Organizations to self-serve creating and updating their own SCIM connections. The simplest way to add SCIM connection management to your application is to use Stytch’s pre-built Admin Portal component.

Admin Portal Guide

Read the guide on Admin Portal.

Admin Portal SDK Reference

Jump straight to the React, Next.js, or Vanilla JS SDK reference.

​Configure a SCIM connection for a specific Organization

​Next Steps

Admin Portal Guide

Admin Portal SDK Reference

Configure a SCIM connection for a specific Organization

Next Steps