SCIM Provisioning with OKTA

Prerequisites

To set up SCIM provisioning with OKTA, you'll need:

• A TeamRetro ENTERPRISE subscription
• The Organization Owner role in TeamRetro (to create an SCIM-scope API key)
• An Administrator role in OKTA (to configure SCIM)

• OKTA SSO set up on your TeamRetro application

  See our OKTA SSO configuration guide

Configuring SCIM

Step 0 - Set up OKTA Single Sign On (SSO) with TeamRetro

See our OKTA SSO configuration guide

Step 1 - Get your TeamRetro SCIM API key

• In TeamRetro, browse to [ORGANIZATION] > SETTINGS > SINGLE SIGN ON (SSO)
• Click CREATE API KEY
• Toggle SCIM to enabled (you may wish to disable Read and Write API access also)
• Click CREATE
• Copy the unique SCIM API key to use later in OKTA
• Click SAVE CHANGES

Step 2 - Enable SCIM Provisioning in OKTA

• In OKTA, navigate to the Applications > Applications page
• Click on the TeamRetro application you've created earlier for SSO
• Navigate to the General Tab
• Click Edit under App Settings
• Check Enable SCIM provisioning
• Click Save

Step 2 - Configure SCIM Provisioning In OKTA

• Navigate to the Provisioning > Integration Tab
• Click Edit under SCIM Connection
• Update the fields:
  • SCIM connector base URL:
    • For US hosting: https://scim.teamretro.com
    • For EU hosting: https://scim.eu.teamretro.com
  • Unique identifier field for users: userName
  • Supported provisioning actions: Select
    • Push New Users
    • Push Profile Updates
    • Push Groups
  • Authentication Mode: HTTP Header
  • Authorization: <Your SCIM API Key created earlier>
• Click Save

• Under the Provisioning > To App tab
• Click Edit under Provisioning to App
• Enable:
  • Create Users
  • Update User Attributes
  • Deactivate Users
• Click Save

• Under the Assignments tab, ensure the app is assigned to all the users that require access to TeamRetro

  Note: OKTA will not deactivate any existing users directly added in TeamRetro, unless those users are provisioned for in/by OKTA first.

  

How to Provision a Team via OKTA

In OKTA, under the TeamRetro Assignments tab you can manage the users and groups in OKTA that will be provisioned for in TeamRetro.

Note: Users/Groups not assigned to the application will not be provisioned for in TeamRetro.

Note: If after a few minutes the groups created in OKTA don't show in TeamRetro, go to the Push Groups tab and manually push the groups that you want.