SCIM Provisioning with OKTA


Prerequisites

To set up SCIM provisioning with OKTA, you'll need:

  • A TeamRetro ENTERPRISE subscription
  • The Account Owner role in TeamRetro (to create an SCIM-scope API key)
  • An Administrator role in OKTA (to configure SCIM)

  • OKTA SSO set up on your TeamRetro application

    See our OKTA SSO configuration guide

Configuring SCIM

  1. Set up OKTA Single Sign On (SSO) with TeamRetro.

    1. See our OKTA SSO configuration guide
  2. Get your TeamRetro SCIM API key

    1. In TeamRetro, browse to SETTINGS > API & SCIM.


  3. Click CREATE API KEY.


    1. ENABLE SCIM (you may wish to disable Read and Write API access also).

  1. Click CREATE.
  2. Copy the unique SCIM API key to use later in OKTA.
  3. Click SAVE CHANGES.

Enable SCIM Provisioning in OKTA

  1. In OKTA, navigate to the Applications > Applications page.
  2. Click on the TeamRetro application you've created earlier for SSO.
  3. Navigate to the General Tab.
  4. Click Edit under App Settings.
  5. Check Enable SCIM provisioning.
  6. Click Save.

Configure SCIM Provisioning In OKTA

  1. Navigate to the Provisioning > Integration Tab.
  2. Click Edit under SCIM Connection.
  3. Update the fields:
    1. SCIM connector base URL:
      1. For US hosting: https://scim.teamretro.com
      2. For EU hosting: https://scim.eu.teamretro.com
    2. Unique identifier field for users: userName
    3. Supported provisioning actions: Select
      1. Push New Users
      2. Push Profile Updates
      3. Push Groups
    4. Authentication Mode: HTTP Header
    5. Authorization: <Your SCIM API Key created earlier>
  4. Click Save.

  1. Under the Provisioning > To App tab.
  2. Click Edit under Provisioning to App.
  3. Enable:
    1. Create Users
    2. Update User Attributes
    3. Deactivate Users
  4. Click Save.

  1. Under the Assignments tab, ensure the app is assigned to all the users that require access to TeamRetro.

    Note: OKTA will not deactivate any existing users directly added in TeamRetro, unless those users are provisioned for in/by OKTA first.

How to Provision a Team via OKTA

In OKTA, under the TeamRetro Assignments tab you can manage the users and groups in OKTA that will be provisioned for in TeamRetro.

Note: Users/Groups not assigned to the application will not be provisioned for in TeamRetro.

Note: If after a few minutes the groups created in OKTA don't show in TeamRetro, go to the Push Groups tab and manually push the groups that you want.

Still need help? Contact Us Contact Us