SCIM Provisioning with OKTA
Prerequisites
To set up SCIM provisioning with OKTA, you'll need:
- A TeamRetro ENTERPRISE subscription
- The Organization Owner role in TeamRetro (to create an SCIM-scope API key)
- An Administrator role in OKTA (to configure SCIM)
- OKTA SSO set up on your TeamRetro application
See our OKTA SSO configuration guide
Configuring SCIM
Step 0 - Set up OKTA Single Sign On (SSO) with TeamRetro
Step 1 - Get your TeamRetro SCIM API key
- In TeamRetro, browse to [ORGANIZATION] > SETTINGS > SINGLE SIGN ON
- Click CREATE API KEY
- Toggle SCIM to enabled (you may wish to disable Read and Write API access also)
- Click CREATE
- Copy the unique SCIM API key to use later in OKTA
- Click SAVE CHANGES
Step 2 - Enable SCIM Provisioning in OKTA
- In OKTA, navigate to the Applications > Applications page
- Click on the TeamRetro application you've created earlier for SSO
- Navigate to the General Tab
- Click Edit under App Settings
- Check Enable SCIM provisioning
- Click Save
Step 2 - Configure SCIM Provisioning In OKTA
- Navigate to the Provisioning > Integration Tab
- Click Edit under SCIM Connection
- Update the fields:
- SCIM connector base URL:
- For US hosting: https://scim.teamretro.com
- For EU hosting: https://scim.eu.teamretro.com
- Unique identifier field for users: userName
- Supported provisioning actions: Select
- Push New Users
- Push Profile Updates
- Push Groups
- Authentication Mode: HTTP Header
- Authorization: <Your SCIM API Key created earlier>
- SCIM connector base URL:
- Click Save
- Under the Provisioning > To App tab
- Click Edit under Provisioning to App
- Enable:
- Create Users
- Update User Attributes
- Deactivate Users
- Click Save
- Under the Assignments tab, ensure the app is assigned to all the users that require access to TeamRetro
Note: OKTA will not deactivate any existing users directly added in TeamRetro, unless those users are provisioned for in/by OKTA first.
How to Provision a Team via OKTA
In OKTA, under the TeamRetro Assignments tab you can manage the users and groups in OKTA that will be provisioned for in TeamRetro.
Note: Users/Groups not assigned to the application will not be provisioned for in TeamRetro.
Note: If after a few minutes the groups created in OKTA don't show in TeamRetro, go to the Push Groups tab and manually push the groups that you want.
