Before enabling your user provisioning, please ensure you've configured your workspace notification preferences appropriately. Provisioned users receive notifications even if they've not yet signed into their account. You can configure your workspace notification preference on your Admin Console's Security Settings Page.
Enable SCIM Provisioning in the OKTA SAML application
Configure SCIM Connection in the "Provisioning" tab
Replace "demo" in the SCIM connector base URL with your haystack domain; click "Test Connector Configuration" to make sure it's configured correctly.
Copy the Bearer token from the Haystack "User Provisions & Login" in the admin console
Configure "To App" settings in "Provisioning" tab in the OKTA SAML application:
The “To App” tab appears after the SCIM integration configuration is saved; check “Create Users”, “Update User Attributes” and “Deactivate users” and save the “To App” settings.
Check if there are user provision errors in the "Assignments" tab
Assigned users and users in the groups will be provisioned in Haystack; un-assigned users and users in groups will be deactivated in Haystack.
Sync manager relationship
It is critically important to sync the manager relationship to Haystack so that it can correctly show the reporting relationship in user profiles and to make the org chart feature work. Make sure the “ManagerValue” field is set to be using the the OKTA user ID (usually the user email) of its manager user in OKTA, you may configure the “profile mappings” by clicking on “Go to Profile Editor” in the “To App” settings under “Provisioning” tab, choose the profile mapping from OKTA User to the SAML app.
Sync customized profile fields
Haystack support syncing of custom fields like "joinDate" and "photoUrl". Follow the steps below if you need to sync custom fields -
Check if the source field exists in OKTA user profiles, it may be called by different names at your organization.
Add a new custom profile field in the OKTA application for Haystack. "Provisioning" -> "To App" -> "Go to Profile Editor" -> "+ Add Attribute". Use "urn:ietf:params:scim:schemas:extension:haystack:1.0:User" as the external namespace.
Add into the mappings from the OKTA profile source field to the added custom field
Make sure it is applied on both "Create and Update" -
Sync OKTA groups to Haystack
Check “Push Groups” in the “Integration” settings under the “Provisioning” tab like below; you may “Test Connector Configuration” to do a quick sanity check.
Under the “Push Groups” tab, choose the groups you would like to push from OKTA to Haystack.
