Skip to main content

Configure System for Cross-domain Identity Management (SCIM) with Okta

How to set up Stack Overflow for Teams Enterprise for Okta SCIM 2.0 provisioning.

Ryan Lindeman avatar
Written by Ryan Lindeman
Updated today

PDF VERSION

Tags | Provisioning | Okta | SCIM |

Applies to: Enterprise

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

Overview

System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Enterprise (SOE), SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides SOE near-real-time updates to user status and role as changes happen at the IdP.

THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS ENTERPRISE ONLY.
Other Stack Overflow for Teams users should read this article instead. Find your plan.

This article covers integrating Okta and your SOE site with SCIM. For a better understanding of using SCIM with SOE, read our SCIM 2.0 support article.

SOE supports the following features with Okta:

  • Create users

  • Update user attributes

  • Deactivate users

  • Import users

  • Import groups

When setting up SCIM in Okta, you'll configure your SOE site and Okta in a back-and-forth process. We recommend having a browser tab open to each site.

NOTE: Setting up SCIM is a continuation of the Okta SAML SSO configuration process. If you haven't yet configured SSO in Okta, start with the Configure Single Sign-on (SSO) with Okta article.

Configure SCIM in SOE

  1. As an SOE admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.

  2. Configure the following settings:

    • SCIM Set to On to enable SCIM.

    • SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Okta. You can enter any string of characters, but be sure to follow best practices for creating a strong password. SOE hides the value by default. Click Show password to view and copy the value.

    • Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.

    • Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.

  3. Click Save settings.

Configure SCIM in Okta

There are two ways to configure SCIM for your SOE site with Okta. We recommend the app integration method below unless you can't (or choose not to) access the Okta App Integration Catalog. If you aren't using the Okta app integration, skip down to the "ALTERNATE MANUAL CONFIGURATION METHOD" section.

OKTA APP INTEGRATION METHOD

Return to the Stack Overflow Enterprise application you configured in the Configure Single Sign-on (SSO) with Okta article.

  1. Select the "Provisioning" tab, and click Configure API Integration.

  2. Check Enable API Integration.

  3. Set the following parameters.

    • SCIM 2.0 Base Url Set to https://[your_site].stackenterprise.co/api/scim/v2.

    • OAuth Bearer Token Enter the SCIM authorization bearer token you created on your SOE SCIM settings page.

  4. Click Test API Credentials. You should get a "verified" message.

  5. Click Save.

  6. Click the "Provisioning" tab, then To App in the left-hand menu.

  7. Click the "Provisioning to App" Edit link.

  8. Click the checkboxes to enable Create Users, Update User Attributes, and Deactivate Users.

  9. Click Save.

When you deactivate or reactivate users assigned to this Okta SCIM app, the SCIM process will change their status on your SOE site as well.

ALTERNATE MANUAL CONFIGURATION METHOD

NOTE: The following steps allow for manual configuration of an Okta SCIM integration that remains separate from your Okta SSO integration. Use this process if you can't (or choose not to) access the Okta App Integration Catalog.

In Okta, you'll create a new SCIM application to integrate with SOE. This allows you to maintain separation between your SSO and SCIM integrations.

NOTE: Even if you have an existing Okta SSO application configured, you'll need to create a new SCIM application for this integration.

Create a new SCIM application in Okta

  1. From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.

  2. Search for SCIM 2.0 Test App (OAuth Bearer Token).

  3. Click Add to begin the setup.

  4. Select the "General Settings" tab.

  5. Enter a descriptive name (such as "SOE SCIM") in the Application label field. You can leave other settings at their defaults, or change them depending upon your requirements.

  6. Click Next.

  7. Select the "Sign-On Options" tab.

  8. Make sure Application username format matches the User Identifier Assertion at https://[your_site].stackenterprise.co/enterprise/auth-settings. This is how SOE properly identifies users.

  9. Click Done.

  10. Select the "Provisioning" tab.

  11. Click Configure API Integration.

  12. Check Enable API Integration and set the following parameters:

    • SCIM 2.0 Base Url Set to https://[your_site].stackenterprise.co/api/scim/v2.

    • OAuth Bearer Token Enter the SCIM authorization bearer token you created on your SOE SCIM settings screen.

  13. Click Test API Credentials. You should get a "verified" message.

  14. Click Save.

  15. Click the "Provisioning" tab, then To App in the left-hand menu.

  16. On the "Provisioning" tab, click To App.

  17. Click Edit.

  18. Click the checkboxes to enable Create Users, Update User Attributes, and Deactivate Users.

  19. Click Save.

When you deactivate or reactivate users assigned to this Okta SCIM app, the SCIM process will change their status on your SOE site as well.

Assign users to the SCIM application

  1. In the SCIM 2.0 application in Okta, click the "Assignments" tab.

  2. Assign your users (and/or groups) with the Assign button.

BOTH METHODS: Configure administrator/moderator promotion and demotion (optional)

You can use SCIM to promote/demote users between administrator, moderator, and regular user roles. This requires defining a user type field in Okta and enabling user promotion on the SCIM integration settings page in SOE.

If you enable promotion, SOE will use the SCIM payload's stackUserType field to promote or demote users between admin, moderator, and regular user roles.

NOTE: SOE site administrators users have moderator privileges, but moderators do not have admin privileges.

To configure SCIM user promotion/demotion, follow these steps.

  1. In SOE, check the Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property checkboxes on the SCIM settings page.

  2. Click Save settings.

  3. Return to the Okta admin interface. Click Profile Editor in the left-hand menu's "Directory" section.

  4. Click the Stack Overflow Enterprise application, then Add Attribute.

  5. Create a new stackUserType attribute for the Stack Overflow Enterprise app (Okta appuser attribute, learn more here). The values SOE will accept for stackUserType are Admin, Moderator, and Registered. SOE will change user roles based on these values.

  6. Return to the profile editor and repeat steps 3-5, this time for User (default) instead of the Stack Overflow Enterprise app (Okta user attribute; learn more here).

  7. Click Profile Editor in the left-hand menu's "Directory" section, and click on Stack Overflow Enterprise application, then click Mappings.

  8. Select Okta User to Stack Overflow Enterprise at the top of the screen.

  9. Scroll down to locate the new stackUserType field. Map user.stackUserType in the "user" column to stackUserType in the "appuser" column.

  10. Click Save Mappings.

BOTH METHODS: Update user department and job title (optional)

You can add optional user department and job title fields to your SCIM data. Adding these fields allows you to use SOE's connectivity reporting feature. Learn more in the Connectivity article.

To add user department and job title fields:

  1. In Okta, click the "Provisioning" tab of the SOE application.

  2. Click To App in the left-hand menu.

  3. Scroll down to the "Stack Overflow Enterprise Attribute Mappings" section and click Show Unmapped Attributes.

  4. Click the pencil (edit) button in the "Title" field (jobTitle in SCIM).

  5. For Attribute value, select Map from Okta Profile.

  6. In the next field, select title | string.

  7. Set the Apply on field to Create and update.

  8. Click Save.

  9. Repeat step 4-8 above for the "Department" field, setting its value to department | string.

Limitations

  • When using user groups, Okta does not consider group membership changes to be user events. If you add or remove a user from an Okta group, Okta will not send an SCIM request to SOE. To update your SOE site after changing a group roster in Okta, click Force Sync. This is a known limitation of Okta.

  • Manual method only Enabling automatic user management by SCIM does not disable manual user management in SOE. An admin can disable a user in SOE, for example, without changing their status in Okta. Okta and SOE will then be out-of-sync. To avoid confusion, we recommend standardizing on a single user management workflow (Okta only or SOE in-app only–not both).

Did this answer your question?