> **Building with AI coding agents?** If you're using an AI coding agent, install the official Scalekit plugin. It gives your agent full awareness of the Scalekit API — reducing hallucinations and enabling faster, more accurate code generation. > > - **Claude Code**: `/plugin marketplace add scalekit-inc/claude-code-authstack` then `/plugin install @scalekit-auth-stack` > - **GitHub Copilot CLI**: `copilot plugin marketplace add scalekit-inc/github-copilot-authstack` then `copilot plugin install @scalekit-auth-stack` > - **Codex**: run the bash installer, restart, then open Plugin Directory and enable `` > - **Skills CLI** (Windsurf, Cline, 40+ agents): `npx skills add scalekit-inc/skills --list` then `--skill ` > > `` / ``: `agent-auth`, `full-stack-auth`, `mcp-auth`, `modular-sso`, `modular-scim` — [Full setup guide](https://docs.scalekit.com/dev-kit/build-with-ai/) --- # Okta Directory This guide is designed to help administrators seamlessly sync their Okta Directory with an application they want to onboard to their organization. By integrating your application with Okta, you can automate user management tasks and ensure that access rights are consistently up-to-date. This registration sets up the following: 1. **Endpoint**: This is the URL where Okta will send requests to the app you are onboarding. It acts as a communication point between Okta and your application. 2. **Bearer Token**: This token is used by Okta to authenticate its requests to the endpoint. It ensures that the requests are secure and authorized. By setting up these components, you enable seamless synchronization between your application and the Okta directory. 1. ## Create an endpoint and API token Open the Admin Portal from the app being onboarded and select the "SCIM Provisioning" tab. A list of Directory Providers will be displayed. Choose "Okta" as your Directory Provider. If the Admin Portal is not accessible from the app, request instructions from the app owner. ![Okta SCIM](@/assets/docs/guides/scim-integrations/okta-scim/0.png) ![Okta directory sync setup: Endpoint URL and one-time visible bearer token provided.](@/assets/docs/guides/scim-integrations/okta-scim/5.png) After selecting "Okta," click "Configure." This action will generate an Endpoint URL and Bearer token for your organization, allowing the app to listen to events and maintain synchronization with your organization. 2. ## Add a new application in Okta Log in to the Okta admin dashboard and navigate to "Applications" in the main menu. ![Okta app catalog: SCIM 2.0 Test App integration options displayed.](@/assets/docs/guides/scim-integrations/okta-scim/1-scim-search.png) If you haven't previously created a SCIM application in Okta, select "Browse App Catalog." Otherwise, choose it from your existing list of applications. In the Okta Application dashboard, search for "SCIM 2.0 Test App (OAuth Bearer Token)" and select the corresponding result. Click "Add Integration" on the subsequent page. ![Adding SCIM 2.0 Test App integration in Okta for app being onboarded](@/assets/docs/guides/scim-integrations/okta-scim/2.png) Provide a descriptive name for the app, then proceed by clicking "Next." ![Naming the app 'Hero SaaS' during SCIM 2.0 Test App integration in Okta.](@/assets/docs/guides/scim-integrations/okta-scim/3.png) The default configuration is typically sufficient for most applications. However, if your directory requires additional settings, such as Attribute Statements, configure these on the Sign-On Options page. Complete the application creation process by clicking "Done." 3. ## Enable sending and receiving events in provisioning settings In your application's Enterprise Okta admin panel, navigate to the "Provisioning" tab and select "Configure API Integration." ![Enabling API Integration in Okta for app being onboarded.](@/assets/docs/guides/scim-integrations/okta-scim/4.png) Copy the Endpoint URL and Bearer Token from your Admin Portal and paste them into the *SCIM 2.0 Base URL* field and *OAuth Bearer Token* field, respectively. Verify the configuration by clicking "Test API Credentials," then save the settings. ![Verifying SCIM credentials for Hero SaaS integration in Okta](@/assets/docs/guides/scim-integrations/okta-scim/6.png) Give provisioning permissions to the API integration. This is necessary to allow Okta to send and receive events to the app. Upon successful configuration, the Provisioning tab will display a new set of options. These options will be utilized to complete the provisioning process for your application. ![Saving verified SCIM API integration settings for Hero SaaS in Okta](@/assets/docs/guides/scim-integrations/okta-scim/7.png) 4. ## Configure provisioning options In the "To App" navigation section, enable the following options: - Create Users - Update User Attributes - Deactivate Users ![Granting provisioning permissions to Hero SaaS app in Okta SCIM integration](@/assets/docs/guides/scim-integrations/okta-scim/4.1.png) After enabling these options, click "Save" to apply the changes. These settings allow Okta to perform user provisioning actions in your application, including creating new user accounts, updating existing user information, and deactivating user accounts when necessary. 5. ## Assign users and groups ![Assigning users to Hero SaaS in Okta: Options to assign to individuals or groups](@/assets/docs/guides/scim-integrations/okta-scim/10.png) To assign users to the SAML Application: 1. Navigate to the "Assignments" tab. 2. From the "Assign" dropdown, select "Assign to People." 3. Choose the users you want to provision and click "Assign." 4. A form will open for each user. Review and populate the user's metadata fields. 5. Scroll to the bottom and click "Save and Go Back." 6. Repeat this process for all users, then select "Done." ![Assigning users to Hero SaaS in Okta: Selecting individuals for access](@/assets/docs/guides/scim-integrations/okta-scim/12.png) 6. ## Push groups and sync group membership To push groups and sync group membership: 1. Navigate to the "Push Groups" tab. 2. From the "Push Groups" dropdown, select "Find groups by name." 3. Search for and select the group you want to push. 4. Ensure the "Push Immediately" box is checked. 5. Click "Save." ![Pushing group memberships to SCIM 2.0 Test App: Configuring the 'Avengers' group in Okta](@/assets/docs/guides/scim-integrations/okta-scim/15.png) **IMPORTANT:** For accurate group membership synchronization, ensure that the same groups are not configured for push groups and group assignments. If the same groups are configured in both assignments and push groups, manual group pushes may be required for accurate membership reflection.
Okta documentation 7. ## Group based Role Assignment Configuration To automatically assign roles to users based on their group membership, configure appropriate group to role mapping in the SCIM Configuration Portal. ![Pushing group memberships to SCIM 2.0 Test App: Configuring the 'Avengers' group in Okta](@/assets/docs/guides/scim-integrations/okta-scim/gbra.png) 8. ## Verify successful connection After completing these steps, verify that the users and groups are successfully synced by visiting Users and Groups tab in the Admin Portal. ![Verification Process](@/assets/docs/guides/scim-integrations/okta-scim/verify.png) --- ## More Scalekit documentation | Resource | What it contains | When to use it | |----------|-----------------|----------------| | [/llms.txt](/llms.txt) | Structured index with routing hints per product area | Start here — find which documentation set covers your topic before loading full content | | [/llms-full.txt](/llms-full.txt) | Complete documentation for all Scalekit products in one file | Use when you need exhaustive context across multiple products or when the topic spans several areas | | [sitemap-0.xml](https://docs.scalekit.com/sitemap-0.xml) | Full URL list of every documentation page | Use to discover specific page URLs you can fetch for targeted, page-level answers |