OKTA Stacksync

SCIM setup instructions

Notes:

  • This setup needs to be implemented by an OKTA ADMIN

  • The SCIM integration is associated to a unique Stacksync workspace. If you have multiple workspaces (such as dev, stage and prod) you will need to set up an SCIM app for each of these Stacksync workspaces. Each workspace has independent RBAC enforcement.

SSO (SAML) setup instructions

Browse the app catalog and select the stacksync app.

Fill in the form fields:

  • Organization Name - Your organization name (no underscores allowed)

  • Worspace ID - Your workspace id (see photo bellow)

  • Environement - You can choose to have a workspace per environement, input your environement here.

    (where to find your workspace id)

Retrive the app embed link and SAML 2.0 metadata url

Navigate to the "General" tab, scroll down to "App Embed Link" and copy and save the embed link

Navigate to the "Sign On" tab and copy and save the metadata URL

Now please send this two URL's to [email protected] along side with your workspace id and the organization name and environement values you used in the step above.

SCIM setup instructions

Create a api key for scim use

First lets create a workspace API token. This is what will enable you to activate the scim provisioning.

Navigate to your workspace settings scroll down to "Stacksync Workspace API Key and create a api key for scim use.

Enable API integration

Now lest enable API integration in your OKTA app.

Navigate to the "Provisioning" tab paste your newly created API key and click "Test API Credentials"

You should see this badge show up

Click "Save"

The page now changes to thihs format. Lets edit the "To App" section.

Enable all the fields and disable "Set password when creating new users" (it should be enabled by default)

Attribute Mappings

Now lets map the necessary roles atribute to the user profile. scroll down to "<your app name> Attribute Mappings" and click "Go to Profile Editor"

In the profile editor click "+ Add Attribute"

Add a new Attribute a new rolesto the app. This is a standard SCIM attribute with the following fields:

  1. Data type: string array

  2. Display name: roles

  3. Variables name: roles

  4. External name: roles

  5. External namespace: urn:ietf:params:scim:schemas:core:2.0:User

  6. Description: SCIM role attribute for Stacksync app

  7. Enum: true

  8. Attribute member: viewer and editor

  9. Attribute required: true

  10. Attribute type: Group

  11. Group Priority: Use Group Priority

Now lets add a mapping. Under attributes open the "Mappings" model.

Switch over to "Okta User to <you app name>"

Now search for the attribule "roles" in the mapping list and add the follow expression:

isMemberOfGroupName("Stacksync editors") ? {"editor"} : {"viewer"}

Add groups and assign users

Go to Directory/Groups, create 2 groups: Stacksync Editors and Stacksync Viewers. Each group will be assigned a different role in Stacksync (editor and viewer)

Assign to the Stacksync Groups you just created the people you want to give access to Stacksync

Go back to your application and under Assignments assign these 2 groups to the application. Make sure you select the right role for each group. You can ignore the other fields, Stacksync is not reading them.

When assigning the groups you will need to override the roles field with the corresponding role type for that group

That's it! 🎉

PreviousOKTANextMFA

Last updated