Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up Okta SCIM for Seamless User Updates 🔄

Here’s what this fantastic integration can do for you:

  • Create Users: When a user is created or activated in Okta, they are automatically created or reactivated in Haystack.

  • Update User Attributes: Change a job title in Okta, and the Haystack profile is automatically updated. Easy!

  • Deactivate Users: When a user is deactivated in Okta, their Haystack account is immediately deactivated, keeping your workspace secure.

Table of Contents

Permissions & Pre-Requisites

📣 Just a heads-up: You'll need Workspace Admin and Access Control Admin permissions to configure SCIM. If you're unsure, reach out to your platform admins or our team at support@haystackteam.com.

📌 Pro-Tip: We strongly suggest configuring your Okta Single Sign-On (SSO) first. You'll use the same Okta SAML Application for both integrations!

Step 1: Configure SCIM in Haystack

First, let’s enable SCIM in Haystack and generate the token needed for the connection.

  1. Sign into your Haystack workspace, click the account dropdown in the top right, and select Admin Console.

  2. In the left-hand menu, click User Provision & Login.

  3. In the User Provision Options section, toggle on Enable SCIM based user provision.

  4. Under SCIM Auth Token, click Show Token and copy the token. Keep this saved on your clipboard—we'll use it very soon!

  5. Click Save User Provision Options.

Critical Pre-Launch Step: Check Notifications!

If your team is currently in implementation, it is extremely important to ensure that your workspace notification settings are turned OFF before you start provisioning users. Content notifications are sent to all users (even those who haven't signed in yet), and you don't want to launch prematurely!

  1. Visit the Security Settings page in your Admin Console.

  2. Toggle Email and Mobile Notifications OFF.

🆘 If you'd like help with this step, please reach out to your Haystack contact or support@haystackteam.com!

Step 2: Configure SCIM in Okta

Now, let's head to Okta to connect the application.

  1. In the Okta Admin Console, go to Applications and find your Haystack SAML application.

  2. Click Edit on the app's editing screen, and next to Provisioning, click the SCIM toggle. This adds a new Provisioning tab.

  3. Click into the Provisioning tab and edit the settings:

    • SCIM connector base URL: https://subdomain.haystack.so/api/scim/v2 (Remember to replace subdomain with your unique Haystack subdomain!)

    • Supported provisioning actions: Tick the boxes for Push New Users and Push Profile Updates.

    • Paste the token you copied from Haystack into the HTTP Header, Authorization box.

  4. Click Test Connector Configuration to ensure everything is connected properly, then click Save.

Step 3: Configure User Provisioning and Mapping

Now we tell Okta what data to sync!

  1. Return to your Haystack app's editing screen in Okta and click into the Provision tab, then select To App in the left-hand menu.

  2. Under the Settings section, tick the Enable boxes for the following:

    • Create Users: Enable

    • Update User Attributes: Enable

    • Deactivate Users: Enable

  3. Click Save. This will begin provisioning your assigned users to Haystack!

  4. To confirm, check the app's Assignments tab for provisioned members and error logs.

Step 4: Configure User Attribute Mapping (Highly Important!)

📣 Please read this section very carefully! The mapping names are highly important. We suggest reading these full directions once before setting up your configuration.

Configure Base Attributes

  1. Stay in the Provision tab and select To App.

  2. Scroll down to the Attribute Mappings section (it's a big table).

  3. Review the default attributes and click the pencil icon to change the mapping for any of them. For example, you need to ensure the Primary email attribute is correctly mapped to the right Okta field.

  4. Choose the correct field from Okta you want to sync into Haystack and click Save.

Configure Haystack-Specific Attributes

Haystack supports other key user fields (like Manager, Birthdate, and Start Date) that aren't included in the defaults. You must manually link these via the Profile Editor.

  1. Within the Provisioning tab, scroll down and click on Go to Profile Editor.

  2. Click Add attribute to create new attributes for manager, join date, etc.

  3. For the Manager Attribute:

    • Note: When mapping the manager attribute, this field must be mapped to the manager's Okta UserID (usually the email address).

    • Data type: string

    • Variable name: managerValue

    • External name: managerValue

    • External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

    • Attribute required: Do NOT select this.

    • Scope: User Personal should be selected.

  4. For the Join Date Attribute:

    • Data type: string

    • Variable name: joinDate

    • External name: joinDate

    • External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

    • Attribute required: Do NOT select this.

    • Scope: User Personal should be selected.

  5. Click Save.

You did it! Go enjoy that beautifully automated user data. 💽

Keywords: Okta SCIM, user provisioning, attribute mapping, synchronization, update users, deactivate users, admin, guide, instructions, SCIM token