All Collections
Haystack Intranet
Single Sign-On (SSO) & User Provisioning (SCIM)
Okta SCIM Set Up for User Provisioning, User Profile Data Mapping, and Group Member Management
Okta SCIM Set Up for User Provisioning, User Profile Data Mapping, and Group Member Management

If your team uses Okta configure your integration to handle provisioning, user profile data mapping. and group management.

Alison Morris avatar
Written by Alison Morris
Updated over a week ago

Before enabling your user provisioning, please ensure you've configured your workspace notification preferences appropriately. Provisioned users receive notifications even if they've not yet signed into their account. You can configure your workspace notification preference on your Admin Console's Security Settings Page.

Enable SCIM Provisioning in the OKTA SAML application

Configure SCIM Connection in the "Provisioning" tab

Replace "demo" in the SCIM connector base URL with your haystack domain; click "Test Connector Configuration" to make sure it's configured correctly.

Copy the Bearer token from the Haystack "User Provisions & Login" in the admin console

Configure "To App" settings in "Provisioning" tab in the OKTA SAML application:

The “To App” tab appears after the SCIM integration configuration is saved; check “Create Users”, “Update User Attributes” and “Deactivate users” and save the “To App” settings.

Check if there are user provision errors in the "Assignments" tab

Assigned users and users in the groups will be provisioned in Haystack; un-assigned users and users in groups will be deactivated in Haystack.

Sync manager relationship

It is critically important to sync the manager relationship to Haystack so that it can correctly show the reporting relationship in user profiles and to make the org chart feature work. Make sure the “ManagerValue” field is set to be using the the OKTA user ID (usually the user email) of its manager user in OKTA, you may configure the “profile mappings” by clicking on “Go to Profile Editor” in the “To App” settings under “Provisioning” tab, choose the profile mapping from OKTA User to the SAML app.

Sync customized profile fields

Haystack support syncing of custom fields like "joinDate" and "photoUrl". Follow the steps below if you need to sync custom fields -

  • Check if the source field exists in OKTA user profiles, it may be called by different names at your organization.

  • Add a new custom profile field in the OKTA application for Haystack. "Provisioning" -> "To App" -> "Go to Profile Editor" -> "+ Add Attribute". Use "urn:ietf:params:scim:schemas:extension:haystack:1.0:User" as the external namespace.

  • Add into the mappings from the OKTA profile source field to the added custom field

  • Make sure it is applied on both "Create and Update" -

Sync OKTA groups to Haystack

Check “Push Groups” in the “Integration” settings under the “Provisioning” tab like below; you may “Test Connector Configuration” to do a quick sanity check.

Under the “Push Groups” tab, choose the groups you would like to push from OKTA to Haystack.

Did this answer your question?