OKTA

SSO and SCIM for OKTA

The Stacksync OKTA app is currently under review by OKTA. Until the app is published on OKTA marketplace, here is a guide to synchronize your OKTA users automatically into Stacksync by creating the SCIM app yourself

This setup takes ~10min

SSO is part of Stacksync Entreprise plan, you need to contact us at sso@stacksync.com to have set it up

Notes:

This setup needs to be implemented by an OKTA ADMIN
The SCIM integration is associated to a unique Stacksync workspace. If you have multiple workspaces (such as dev, stage and prod) you will need to set up an SCIM app for each of these Stacksync workspaces. Each workspace has independent RBAC enforcement.

SSO (SAML) setup instructions

On your OKTA homepage go on the admin section
In the Applications section, create an App integration of type SAML 2.0
Give the App name to Stacksync and you can add the Stacksync app logo (download file below)

Configure your SAML settings with:
1. Single sign-on URL: https://auth.stacksync.com/login/callback?connection=<sso_id_provided_by_stacksync_team_for_you>
2. Audience URI: urn:auth0:stacksync:<sso_id_provided_by_stacksync_team_for_you>
3. Application username: Email
4. Update application username on Create and update
5. Attribute Statements:
  1. name=emails
  2. name format=Basic
  3. value=user.email
6. You can skip the Feedback section and click Finish
  1. Send us at sso@stacksync.com the following details:
    Identity Provider Single Sign-On URL at the top of the SAML setup instructions page.
    2.SAML Signing Certificates for SHA2

SCIM setup instructions

On the General page of the SAML app you just created, enable SCIM provisioning
Go to the Stacksync Workspace Settings page at https://app.stacksync.com to find the informations necessary for the next steps.
1. Find your Stacksync workspace_id on top of the page
2. Generate a workspace_api_key at the bottom of the same page. Only the owner of the Stacksync workspace can Stacksync workspace api keys.
Go back to your SAML app on the Provisionning page. Fill in the following parameter:
1. Base URL: https://api.stacksync.com/v1/workspaces/<your_stacksync_workspace_id>/scim/v2/
2. API Token: Bearer <your_stacksync_workspace_api_key>
Allow your SCIM app to create, update and deactivate users. Stacksync users never use passwords to connect to Stacksync therefore the Sync Password feature should be disabled.
Go to the Profile Editor and add a new Attribute a new rolesto the app. This is a standard SCIM attribute with the following fields:
1. Data type: string array
2. Display name: roles
3. Variables name: roles
4. External name: roles
5. External namespace: urn:ietf:params:scim:schemas:core:2.0:User
6. Description: SCIM role attribute for Stacksync app
7. Enum: true
8. Attribute member: viewer and editor
9. Attribute required: true
10. Attribute type: Group
11. Group Priority: Use Group Priority
Go to Directory/Groups, create 2 groups: Stacksync Editors and Stacksync Viewers. Each group will be assigned a different role in Stacksync (editor and viewer)
Assign to the Stacksync Groups you just created the people you want to give access to Stacksync
Go back to your application and under Assignments assign these 2 groups to the application. Make sure you select the right role for each group. You can ignore the other fields, Stacksync is not reading them.

That's it! 🎉

PreviousAzure Entra ID NextMFA

Last updated 2 months ago