Setting up SCIM with Okta

Updated 1 month ago by Abhiram

Kissflow supports automatic user provisioning with System for Cross-domain Identity Management (SCIM) standard. Okta’s SCIM-based user provisioning for Kissflow supports the following features:

  • Creating users
  • Updating select user attributes
  • Deactivating users
  • Pushing groups to Kissflow

When provisioning users, Okta directory is mapped to a single Kissflow account. Any new user in Okta will receive an email invitation prompting them to create a Kissflow account.

Configuring user provisioning to Kissflow

To set up Kissflow user provisioning with Okta, you need to have an Account Owner, Super Admin, or User Admin role and an active Okta account.

  1. Go to your Okta Admin account, access the applications tab and click the Add Application button. Then, search for the SCIM 2.0 Test App (OAuth Bearer Token) application and rename the app accordingly.
  2. In Kissflow, go to Admin and open the User Management screen. Click Configure SCIM button, copy the Base URL and generate a new SCIM token. Select Save to finish provisioning setup on the Kissflow side.
    You must keep the SCIM token secure as the token once generated will not be available again for copy or download.
Configure SCIM in Kissflow
  1. Under the Provisioning tab of Okta SCIM app, paste the copied Base URL and Secret token into their corresponding fields. Then, click Test API Credentials to verify the app. If successful, save the credentials.
    Creating and verifying Okta app
  2. You can click Edit beside Provisioning to App to enable Create Users, Update User Attributes, and Deactivate Users capabilities.
    Configuring user provisioning in Okta
  3. Add your Okta users from the Assignments tab of the app. You can also push groups assigned to the Okta application. A new group is created in Kissflow and all members who are a part of that group are added to it. However, these users are not added as individual users.

New users synced from Okta are added in an active state by default. When you delete someone in Okta, they are retained in Kissflow as an inactive user.


How did we do?