Before enabling your user provisioning, please ensure you've configured your workspace notification preferences appropriately. Provisioned users receive notifications even if they've not yet signed into their account. You can configure your workspace notification preference on your Admin Console's Security Settings Page.


Enable SCIM Provisioning in the OKTA SAML application

Configure SCIM Connection in the "Provisioning" tab

Replace "demo" in the SCIM connector base URL with your haystack domain; click "Test Connector Configuration" to make sure it's configured correctly.

Copy the Bearer token from the Haystack "User Provisions & Login" in the admin console

Configure "To App" settings in "Provisioning" tab in the OKTA SAML application:

The “To App” tab appears after the SCIM integration configuration is saved; check “Create Users”, “Update User Attributes” and “Deactivate users” and save the “To App” settings.

Check if there are user provision errors in the "Assignments" tab

Assigned users and users in the groups will be provisioned in Haystack; un-assigned users and users in groups will be deactivated in Haystack.

Sync manager relationship

It is critically important to sync the manager relationship to Haystack so that it can correctly show the reporting relationship in user profiles and to make the org chart feature work. Make sure the “ManagerValue” field is set to be using the the OKTA user ID (usually the user email) of its manager user in OKTA, you may configure the “profile mappings” by clicking on “Go to Profile Editor” in the “To App” settings under “Provisioning” tab, choose the profile mapping from OKTA User to the SAML app.

Sync OKTA groups to Haystack

Check “Push Groups” in the “Integration” settings under the “Provisioning” tab like below; you may “Test Connector Configuration” to do a quick sanity check.

Under the “Push Groups” tab, choose the groups you would like to push from OKTA to Haystack.

Did this answer your question?