Setting up SCIM provisioning with Okta

V12 4:24 Ent.svg

 

In this article, you’ll learn how to set up SCIM provisioning with Okta.

SCIM provisioning allows you to manage all your accounts in one central location – Okta, from creation until deactivation.

To learn more about SCIM provisioning in Okta, please take a look at this Okta documentation.

In this article:

Relevant to both new and legacy boards

Prerequisites

To get started, you’ll need the following:

Note: If you have SAML SSO set up with custom app integration, please switch to Productboard application from Okta’s catalog.

Features

The following provisioning features are supported:

  • Push New Users
    • New users created through OKTA will also be created in Productboard.
  • Push Profile Updates
    • Updates made to the user's profile through OKTA will be pushed to Productboard.
  • Push User Deactivation
    • Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Productboard.
  • Reactivate Users
    • User accounts can be reactivated in the application.
  • Import Users.
    • Users created in Productboard can be imported into Okta and either matched against existing Okta users or created as new Okta users.

Configuring SCIM provisioning

  1. Go to
    https://<your_workspace>.productboard.com/
  2. Click on Profile menu, click on Settings, and navigate to SSO and SCIM settings.
  3. Toggle on SCIM Provisioning
    Screenshot_2022-12-20_at_18.49.44__1_.png
  4. Go to your Okta, and in your Productboard custom app integration, select the Provisioning tab. Then, click Configure API Integration.
    Untitled (94).png
  5. Check Enable API provisioning.
    Untitled (95).png
  6. Click on Authenticate with Productboard. You’ll be redirected to Productboard.
    Untitled (96).png

  7. Enter your workspace subdomain.
    Untitled (97).png
  8. Log in to Productboard with Okta.
    Untitled (98).png
  9. Authorize Okta to access SCIM API.
    Untitled (99).png
  10. Click on Save.
    Untitled (100).png
  11. On the Provisioning tab, click To App and click Edit and check Productboard’s provisioning actions: Create users, Update user attributes, and Deactivate users. Then hit Save.
    Untitled - 2023-04-19T144241.417.png
  12. Continue with the Sign On tab, click Edit and select Email as the Application username format, and hit Save.
    Untitled - 2023-04-19T144324.453.png

Provisioning your users

Users assigned before SCIM provisioning was enabled

Once you’ve enabled SCIM provisioning, all your user assignments will show an error (see the screenshot below). Click on Provision User and those errors will disappear. It schedules a job that links Okta users with members in Productboard. If there’s no such member in Productboard it creates a new member.

Screenshot_2022-12-20_at_18.53.56.png

In Productboard, the existing users are now SCIM provisioned and won’t be editable. For example, the last user in the screenshot below isn’t SCIM provisioned and is still editable.

Screenshot_2022-12-20_at_20.18.17.png

Note: The Role in Okta and in Productboard does not match. At this point, every user in Okta seemingly has the admin role assigned. It’s not actually assigned to them though, it’s just the first option you can choose. admin was the first option you filled in during the configuration of the Role field.
Once you choose the option and click Save it gets actually set and updated in Productboard. To learn more about how to handle Productboard roles in Okta, read this article.

Screenshot_2022-12-30_at_15.57.30.png

Provisioning new users

  1. In your Productboard application in Okta, assign a new user.
  2. Select the Role attribute that we defined in step 20 above.

Screenshot_2022-12-20_at_22.25.24.png

You should see the new user right away in Productboard. You can play around and test that everything is working.

Reactivating old users

  1. In Okta, go to your Productboard custom app integration.
  2. Go to the Assignments tab.
  3. Find the member you wish to reactivate and change their access type to "active: true".
  4. Return to Productboard and check the Members page from the Main menu TO make sure the user is listed as reactivated. 

See also

Was this article helpful?
1 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section

See more
Our Support hours:
Monday to Friday from 9:00 am - 2:00 am CET. Monday to Friday from 0:00 am - 5:00 pm PST.
Productboard Academy
Become a Productboard expert with self-paced courses, quick tip videos, webinars and more.
Product Makers Community
Connect with product leaders, share and find product jobs, and learn how to approach similar challenges. Come join our Product Makers community.