Tags | SCIM | Provisioning | Okta |
Available on Basic, Business plans
Admin privileges required
From the Applications page in Okta, click Browse App Catalog. That will take you to the Application Directory, from which you can search for SCIM 2.0 TEST APP (OAuth Bearer Token).
Then Click Add to begin set up.
1. Okta SCIM Setup for Stack Overflow for Teams
You can leave the default settings on General Settings and Sign-On Options initially.
Set up user deactivation and reactivation
In Stack Overflow Business, enable SCIM and generate a SCIM authorization token for your application at /c/[your_site]/admin/access/scim. Please note that this token will only be visible when you generate it. If it is lost, you will need to generate a new one and reconfigure your Okta application.
Navigate to your SCIM 2.0 application in Okta. Click the Provisioning tab, then click Configure API Integration.
Check Enable API Integration and set the following parameters
SCIM 2.0 Base Url https://stackoverflowteams.com/c/[your_site]/auth/scim/v2
OAuth Bearer Token The token that you generated previously.
Click Test API Credentials. You should get a result similar to verified successfully!
Click Save to effect these settings
On the Provisioning tab, click the newly available To App setting panel
Click Edit.
Click the checkbox to Enable both Update User Attributes and Deactivate Users
Click Save
Now, when users are deactivated or reactivated in Okta and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Stack Overflow Business as well.
Assign users to the SCIM 2.0 application
The SCIM 2.0 application should be open in Okta. Click the Assignments tab, and add users as appropriate for your organization. This may be by individual, by groups, or a combination of the two approaches. Continue on to the next section to finish the integration and enable deactivation/reactivation.
Optional - Setting up Admin promotion and demotion
SCIM 2.0 may also be used to promote a Registered user to an Admin user or to demote an Admin user to a Registered user.
First, ensure that “Allow SCIM to manage user roles” is set to checked-in /c/[your_site]/admin/access/scim. This is required for promotion and demotion to work.
User promotion is determined by the userType field in the SCIM 2.0 payload. This key takes the value of either Registered or Admin. If the value is Admin, the user is promoted to an Admin. The userType must be set to Registered in order to demote an Admin.
The userType field can be set in multiple ways. There are two common ways you may want to investigate:
On the user profile Under Directory > Users, you can edit a user and set the userType field under the Profile tab. This must be done for every Admin individually.
By application mapping Under Directory > Profile Editor, field mappings may be controlled for each application. Click Mappings for the SCIM 2.0 application, then select the Okta to SCIM 2.0 application label tab. The userType field may be modified to any value or valid Okta expression. For example, you could grant all users in the group Stack Overflow Business Admins with the Okta expression:
isMemberOfGroupName("Stack Overflow Business Admins") ? "Admin" : "Registered"
Notes
When using groups, please note that group membership changes are not always considered a user event. That is, if a user is added to or removed from a group in Okta, the user might not be considered changed and no SCIM 2.0 request will be sent. After changing group permissions, please have the SCIM 2.0 application in Okta force sync. This is a limitation of Okta.
Enabling SCIM 2.0 user management in Stack Overflow Business does not disable user management within Stack Overflow Business. That is, a user may be active in Okta and assigned to the Stack Overflow Business SCIM 2.0 app, and they may still be manually disabled within Stack Overflow Business. We recommend standardizing on a single workflow within your organization so that expectations are shared.
Need help? Submit an issue or question through our support portal.