Admin privileges required
SCIM is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Basic and Business, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. This article details how to integrate Stack Overflow for Teams and the Okta IdP.
Create a SCIM 2.0 application in Okta
From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.
Search for SCIM 2.0 Test App (OAuth Bearer Token).
Click Add to begin the setup.
Okta General Settings tab
Set the Application label with a descriptive name (such as "Stack Overflow SCIM"). You can leave other settings at their defaults, or change them depending upon your requirements. Click Next.
Okta Sign-On Options tab
Make sure Application username format matches the User Identifier Assertion provided in /enterprise/auth-settings. This is how SOE properly identifies users. Click Done.
Set up user deactivation and reactivation
To access the SCIM integration page, click Admin Settings in the Stack Overflow for Teams left-hand menu, then SCIM integration under the "ACCESS MANAGEMENT" heading. Click Enable SCIM, then click Generate token.
Note that this token will only be visible when you generate it. If you lose it, you'll need to generate a new token and reconfigure your Okta application.
If you plan to use SCIM 2.0 for administrator/moderator role promotion and demotion, check Allow SCIM to manage user roles.
Navigate to your SCIM 2.0 application in Okta. Click the Provisioning tab, then click Configure API Integration.
Check (enable) Enable API Integration and set the following parameters:
SCIM 2.0 Base Url https://stackoverflowteams.com/c/[your_site]/auth/scim/v2.
OAuth Bearer Token The token that you generated previously in Stack Overflow for Teams.
Click Test API Credentials. You should get a positive (verified) result. Click Save.
On the Provisioning tab, click the newly available To App setting panel. Then:
Click the checkbox to enable both Update User Attributes and Deactivate Users.
When users are deactivated or reactivated in Okta and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Stack Overflow Business as well.
Assign users to the SCIM 2.0 application
The SCIM 2.0 application should be open in Okta. Click the Assignments tab, and add users as appropriate for your organization. This may be by individual, by groups, or a combination of the two approaches. Continue on to the next section to finish the integration and enable deactivation/reactivation.
Set up administrator/moderator promotion and demotion (optional)
You can use SCIM 2.0 to promote/demote users between administrator, moderator, and regular user roles. This requires enabling Allow SCIM to manage user roles on the SCIM Integration settings page on Stack Overflow for Teams.
User role is determined by the
userType field in the SCIM 2.0 payload. This field can have the value of "Registered", "Moderator", or "Admin".
You can set
userType value in Okta in several ways, including:
On the individual user profile under Directory -> Users, edit the user and set the
userTypefield under the Profile tab. You'll have to do this for every user you want to promote to moderator or administrator.
At Directory -> Profile Editor, you can control field mappings at the application (Stack Overflow for Teams) level. Click Attribute Mappings for the SCIM 2.0 application, then select the Okta to SCIM 2.0 application label tab. You can now assign the
userTypefield to any value or valid Okta expression. For example, you could assign the administrator role to all users in the group "Stack Overflow for Business Admins" with this Okta ternary expression:
isMemberOfGroupName("Stack Overflow for Business Admins") ? "Admin" : "Registered"
Okta doesn't always initiate a SCIM 2.0 user update based on group membership changes. If you add a user to a group, for example, Okta may not automatically push that change to Stack Overflow for Teams. After changing group memberships, have the SCIM 2.0 application in Okta perform a force sync. This is a known limitation of Okta.
Enabling SCIM 2.0 support does not disable user management options within Stack Overflow for Teams. This means a user may have an active status in the IdP, yet be deactivated in Stack Overflow for Teams through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.
Need help? Submit an issue or question through our support portal.