Okta - SAML
This information only applies to organizations on the Pro and Enterprise plans.
SCIM for Okta supports the following SCIM resources:
- Users (mapped directly to BSR Users)
- Groups (not directly represented in the BSR, but can be added to BSR Organizations by name to manage Organization membership)
The steps below must be carried out by users with administrative privileges in your Okta account.
- Setup (Pro | Enterprise) needs to be complete. You need to know your private
BSR server domain (for example,
buf.example.com) for the steps below.
Enable SCIM provisioning
- Sign in to your Okta organization.
- Navigate to Applications > Applications and click on your BSR application.
- Navigate to the General tab and click Edit in the App Settings pane.
- Check SCIM and click Save.
- Okta may take some time to propagate the change. When it's enabled, you should see a new Provisioning tab in your application.
Configure the SCIM connector
- In your Okta application, navigate to the Provisioning tab.
- Under the SCIM Connection pane, click Edit and enter the following information:
- SCIM connector base URL:
- Unique identifier field for users:
- Supported provisioning actions: Check off the following:
- Push New Users
- Push Profile Updates
- If you would like to push groups, also check the following:
- Import New Users and Profile Updates
- Push Groups
- Import Groups
- Authentication Mode:
- Authorization: enter the SCIM token you created earlier
- SCIM connector base URL:
- Click Test Connector Configuration. You should see the following screen (an x will show for those you have not checked, this is expected):
Click the To App side tab.
Click Edit and enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
In the Attribute Mappings section below, ensure the following attribute mappings are set. Unmap all other attributes.
Configured in Sign On settings (should be mapped to Email)
(user.email != null && user.email != "") ? 'work' : ''
(i.e., specified only if
user.emailis not null or empty)
If you had previously assigned this Okta application to users before enabling SCIM, you will need to provision those existing users to the BSR. Okta will try to match the users to existing users within the BSR, and this should succeed without error. Follow the steps below to do this.
- In your Okta application, navigate to the Assignments tab.
- You should see warnings for all the existing users. Click Provision User, click OK to the confirmation prompt.
- You will see a toast indicating that the provisioning job was queued. You can navigate to Dashboard > Tasks (https://yourog.okta.com/admin/tasks) to view any background tasks that Okta is running, as well as any errors that come up.
The BSR will use any IdP-provided groups in combination with automated organization provisioning to automatically manage users' memberships to BSR Organizations.
In your Okta application, navigate to the Push Groups tab.
Click Refresh App Groups to pull the latest groups from the BSR. You may have to wait a few moments for it to complete.
Under Push Groups, chose the relevant group selection criteria. Once a group has been selected, you will see one of two options:
- If the BSR already knows about the group, Okta will indicate that a match was found.
- If the BSR does not know about the group, Okta will allow you to either link to another group in the BSR, or create a new one. In most cases, you will want to create a new group.
Okta will now attempt a Group Push. If an error is encountered, it will be shown directly next to the group, like below. If this happens, contact Support or your Buf representative to resolve the error and try again.