Configure SCIM 2.0 with Okta

Integrate Stack Overflow for Teams with the Okta Identity Provider

Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago

Tags | SCIM | Provisioning | Okta |

Admin privileges required

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.


SCIM is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Basic and Business, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. This article details how to integrate Stack Overflow for Teams and the Okta IdP.

Create a SCIM 2.0 application in Okta

  1. From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.

  2. Search for SCIM 2.0 Test App (OAuth Bearer Token).

  3. Click Add to begin the setup.

Okta General Settings tab

Set the Application label with a descriptive name (such as "Stack Overflow SCIM"). You can leave other settings at their defaults, or change them depending upon your requirements. Click Next.

Okta Sign-On Options tab

Make sure Application username format matches the User Identifier Assertion provided in /enterprise/auth-settings. This is how SOE properly identifies users. Click Done.

Set up user deactivation and reactivation

To access the SCIM integration page, click Admin Settings in the Stack Overflow for Teams left-hand menu, then SCIM integration under the "ACCESS MANAGEMENT" heading. Click Enable SCIM, then click Generate token.

Note that this token will only be visible when you generate it. If you lose it, you'll need to generate a new token and reconfigure your Okta application.

If you plan to use SCIM 2.0 for administrator/moderator role promotion and demotion, check Allow SCIM to manage user roles.

Navigate to your SCIM 2.0 application in Okta. Click the Provisioning tab, then click Configure API Integration.

Check (enable) Enable API Integration and set the following parameters:

Click Test API Credentials. You should get a positive (verified) result. Click Save.

On the Provisioning tab, click the newly available To App setting panel. Then:

  1. Click Edit.

  2. Click the checkbox to enable both Update User Attributes and Deactivate Users.

  3. Click Save.

When users are deactivated or reactivated in Okta and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Stack Overflow Business as well.

Assign users to the SCIM 2.0 application

The SCIM 2.0 application should be open in Okta. Click the Assignments tab, and add users as appropriate for your organization. This may be by individual, by groups, or a combination of the two approaches. Continue on to the next section to finish the integration and enable deactivation/reactivation.

Set up administrator/moderator promotion and demotion (optional)

You can use SCIM 2.0 to promote/demote users between administrator, moderator, and regular user roles. This requires enabling Allow SCIM to manage user roles on the SCIM Integration settings page on Stack Overflow for Teams.

User role is determined by the userType field in the SCIM 2.0 payload. This field can have the value of "Registered", "Moderator", or "Admin".

You can set userType value in Okta in several ways, including:

  • On the individual user profile under Directory -> Users, edit the user and set the userType field under the Profile tab. You'll have to do this for every user you want to promote to moderator or administrator.

  • At Directory -> Profile Editor, you can control field mappings at the application (Stack Overflow for Teams) level. Click Attribute Mappings for the SCIM 2.0 application, then select the Okta to SCIM 2.0 application label tab. You can now assign the userType field to any value or valid Okta expression. For example, you could assign the administrator role to all users in the group "Stack Overflow for Business Admins" with this Okta ternary expression:

isMemberOfGroupName("Stack Overflow for Business Admins") ? "Admin" : "Registered"


  • Okta doesn't always initiate a SCIM 2.0 user update based on group membership changes. If you add a user to a group, for example, Okta may not automatically push that change to Stack Overflow for Teams. After changing group memberships, have the SCIM 2.0 application in Okta perform a force sync. This is a known limitation of Okta.

  • Enabling SCIM 2.0 support does not disable user management options within Stack Overflow for Teams. This means a user may have an active status in the IdP, yet be deactivated in Stack Overflow for Teams through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.

Need help? Submit an issue or question through our support portal.

Did this answer your question?