OKTA

SSO and SCIM for OKTA

circle-info

The Stacksync Okta app is currently under review by Okta. Until the app is published on the Okta Marketplace, here is a guide to synchronize your Okta users automatically into Stacksync by creating the SCIM app yourself.

This setup takes ~10 minutes.

circle-info

SSO is part of the Stacksync Enterprise plan. Contact us at [email protected] to set it up.

Notes:

  • This setup must be implemented by an Okta admin.

  • The SCIM integration is associated with a unique Stacksync workspace. If you have multiple workspaces (such as dev, staging, and prod), you will need to set up an SCIM app for each workspace. Each workspace has independent RBAC enforcement.

SSO (SAML) setup instructions

  1. On your Okta homepage, go to the admin section.

  2. In the Applications section, create an app integration of type SAML 2.0.

  3. Set the app name to Stacksync. You can also add the Stacksync app logo (download the file below).

file-image
21KB
  1. Configure your SAML settings with:

    1. Single sign-on URL: https://auth.stacksync.com/login/callback?connection=<sso_id_provided_by_stacksync_team_for_you>

    2. Audience URI: urn:auth0:stacksync:<sso_id_provided_by_stacksync_team_for_you>

    3. Application username: Email

    4. Update application username on Create and update

    5. Attribute Statements:

      1. name=emails

      2. name format=Basic

      3. value=user.email

    6. You can skip the Feedback section and click Finish

      1. Send the following details to [email protected]:

        1. Identity Provider Single Sign-On URL at the top of the SAML setup instructions page.

        2. SAML Signing Certificates for SHA2

        1. Once we have received the above information, we will activate SSO and you’re all set!

SCIM setup instructions

  1. On the General page of the SAML app you just created, enable SCIM provisioning.

  2. Go to the Stacksync Workspace Settings page at https://app.stacksync.com to find the information needed for the next steps.

    1. Find your Stacksync workspace_id on top of the page.

    2. Generate a workspace_api_key at the bottom of the same page. Only the owner of the Stacksync workspace can create workspace API keys.

  3. Go back to your SAML app on the Provisioning page. Fill in the following parameters:

    1. Base URL: https://api.stacksync.com/v1/workspaces/<your_stacksync_workspace_id>/scim/v2/

    2. API Token: Bearer <your_stacksync_workspace_api_key>

  4. Allow your SCIM app to create, update, and deactivate users. Stacksync users never use passwords to connect to Stacksync. Therefore, the Sync Password feature should be disabled.

  5. Go to the Profile Editor and add a new attribute roles to the app. This is a standard SCIM attribute with the following fields:

    1. Data type: string array

    2. Display name: roles

    3. Variable name: roles

    4. External name: roles

    5. External namespace: urn:ietf:params:scim:schemas:core:2.0:User

    6. Description: SCIM role attribute for Stacksync app

    7. Enum: true

    8. Attribute member: viewer and editor

    9. Attribute required: true

    10. Attribute type: Group

    11. Group Priority: Use Group Priority

  6. Go to Directory/Groups and create two groups: Stacksync Editors and Stacksync Viewers. Each group will be assigned a different role in Stacksync (editor and viewer).

  7. Assign the people you want to give access to Stacksync to the Stacksync groups you just created.

  8. Go back to your application and, under Assignments, assign these two groups to the application. Make sure you select the right role for each group. You can ignore the other fields. Stacksync does not read them.

That's it! 🎉

Last updated