In this article, you’ll learn how to set up SCIM provisioning with Okta.
SCIM provisioning allows you to manage all your accounts in one central location – Okta, from creation until deactivation.
To learn more about SCIM provisioning in Okta, please take a look at this Okta documentation.
In this article:
Prerequisites
To get started, you’ll need the following:
- An Okta subscription. If you don't have a subscription, you can sign up for a one-month free trial.
- A Productboard single sign-on (SSO) configured and working Productboard application from Okta’s catalog. You can follow this article.
Note: If you have SAML SSO set up with custom app integration, please switch to Productboard application from Okta’s catalog.
Features
The following provisioning features are supported:
- Push New Users
- New users created through OKTA will also be created in Productboard.
- Push Profile Updates
- Updates made to the user's profile through OKTA will be pushed to Productboard.
- Push User Deactivation
- Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Productboard.
- Reactivate Users
- User accounts can be reactivated in the application.
- Import Users.
- Users created in Productboard can be imported into Okta and either matched against existing Okta users or created as new Okta users.
Configuring SCIM provisioning
- Go to
https://<your_workspace>.productboard.com/
- Click on Profile menu, click on Settings, and navigate to SSO and SCIM settings.
- Toggle on SCIM Provisioning
- Go to your Okta, and in your Productboard custom app integration, select the Provisioning tab. Then, click Configure API Integration.
- Check Enable API provisioning.
-
Click on Authenticate with Productboard. You’ll be redirected to Productboard.
- Enter your workspace subdomain.
- Log in to Productboard with Okta.
- Authorize Okta to access SCIM API.
- Click on Save.
- On the Provisioning tab, click To App and click Edit and check Productboard’s provisioning actions: Create users, Update user attributes, and Deactivate users. Then hit Save.
- Continue with the Sign On tab, click Edit and select Email as the Application username format, and hit Save.
Provisioning your users
Users assigned before SCIM provisioning was enabled
Once you’ve enabled SCIM provisioning, all your user assignments will show an error (see the screenshot below). Click on Provision User and those errors will disappear. It schedules a job that links Okta users with members in Productboard. If there’s no such member in Productboard it creates a new member.
In Productboard, the existing users are now SCIM provisioned and won’t be editable. For example, the last user in the screenshot below isn’t SCIM provisioned and is still editable.
Note: The Role in Okta and in Productboard does not match. At this point, every user in Okta seemingly has the admin role assigned. It’s not actually assigned to them though, it’s just the first option you can choose. admin was the first option you filled in during the configuration of the Role field.
Once you choose the option and click Save it gets actually set and updated in Productboard. To learn more about how to handle Productboard roles in Okta, read this article.
Provisioning new users
- In your Productboard application in Okta, assign a new user.
- Select the Role attribute that we defined in step 20 above.
You should see the new user right away in Productboard. You can play around and test that everything is working.
Reactivating old users
- In Okta, go to your Productboard custom app integration.
- Go to the Assignments tab.
- Find the member you wish to reactivate and change their access type to "active: true".
- Return to Productboard and check the Members page from the Main menu TO make sure the user is listed as reactivated.
Comments
Article is closed for comments.