Skip to main content

Okta user provisioning with SCIM

  • Updated

Note: This article is no longer maintained. For updated information, please refer to the corresponding Admin App article. We recommend updating your links if you’ve linked to this article.

Okta and Showpad work together to make user provisioning a breeze for your organization. SCIM is designed to make managing user identities in cloud-based applications and services easier. SCIM has a set of default contracts for users and groups, which can be extended to work hand-in-hand with Okta. 

Key features

  • Users in Okta can be automatically added as members of your organization in Showpad
  • User attributes updated in Okta will be pushed automatically to Showpad
  • Deactivate and reactivate users via Okta and see those changes in Showpad
  • Groups created in Okta will be pushed automatically to your Showpad instance

You need this to succeed

  • Showpad’s Platform Enterprise package
  • Available as an add-on for the Showpad Plus pricing plan
  • Administrator access on both Showpad's Online Platform and Okta

The quick way to awesomeness

Do this step by step

Enabling the SCIM API

  1. Ensure that SCIM provisioning is enabled in the sign-on settings. To do this, click the gear icon, select Admin Settings, and then Sign-On. Then toggle on the SCIM setting.
    OP-SCIM.png
  2. Just below Sign-On, select API in the Integrations section. Select API Tokens to create your token. OP-API_Tokens.png
  3. Enter a name for your new API token. You can choose to set an expiration date. Click Add. This is also where you can revoke access to other tokens you've created.
    Generate_API_Token_Name_and_Date_Revoke.png

    Tip: API Tokens are linked to the permissions of the user creating them. Creating them for a user who will exist for a long time or has an Owner or Manager role is a good practice here.

From your Okta admin portal

Note: If you haven't set up SSO with Okta before, make sure to do so before continuing these steps. Learn how to set up SSO for Showpad via Okta here.

  1. Click on the Provisioning tab and then select Configure API Integration.  Enable_API_configuration_Okta.png
  2. Provide the following information:
    • Base URL (in this format) - https://[your_organization_name].showpad.biz/api/users/scim/v2
    • API Token - Paste the API Token you previously obtained from Showpad.
    • Import Groups - Check the box to sync all existing groups from Okta into Showpad.
    enable_api_integration.png
  3. Test API Credentials and click Save when ready. 
  4. To enable the different provisioning options of Okta to Showpad, check the corresponding boxes.
    • Create users will create or link users in Showpad when assigning the app to a user in Okta.
    • Update user Attributes will allow Okta to update a user's attributes in Showpad when the app is assigned to them. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in Showpad. This needs to be enabled for auto-provisioning sync for user updates to work.
    • When enabled, the option to Deactivate Users will deactivate a user's Showpad account when they are unassigned to the app in Okta, or when their Okta account is deactivated. They can be reactivated if the Showpad app is reassigned to them in Okta.
    Click Save after enabling your selections.enable_provisioning.png
  5. After enabling the provisioning options, scroll down to make any changes to the Showpad Attribute Mapping. Click the edit icon to change attributes as needed, and whether they are applied on create and/or create and update. edit_mapping_attributes.png
  6. Open the Assignments tab, then click Assign. Choose to assign the Showpad app to People or Groups. These users will be automatically created in your Showpad instance and will receive an invitation email. Groups and their user membership will also be pushed to Showpad automatically.unnamed__4_.png
  7. To push groups from Okta to Showpad, open the Push Groups tab. Search for the group, then click Create Group, then click Savecreate_test_group.png
  8. You will see the group's Last Push date and Push Status as Active. Click the Push Status to update it.
    • Deactivate group push will stop pushing group memberships. Existing members will be unaffected by this change. 
    • Unlink pushed group will stop pushing group members and optionally delete the pushed group from Showpad.
    • Push now will push this group's memberships to Showpad.
    push_status.png
Back to Top

Provisioning Modifications in Okta

Currently, from Showpad to Okta, the following activities are not supported:

  • User deletion
  • Reactivating deactivated users
  • Provisioning user roles and direct managers—While this is not directly supported from Showpad to Okta, you can add custom attributes in Okta's Profile Editor as an Okta to Showpad alternative. You can find out more about Okta's custom attributes here.

User Roles

  1. Open the Directory menu in the Admin Console, select Profile Editor, and click on Showpad User. Be sure All is selected in the Filters.showpad_user.png
  2. Click the Add Attribute button.profile_editor.png
    Enter the following information:
    • Data type - Select the string data type.
    • Display name - Enter "role".
    • Variable name - Enter "role".
    • External name - Enter this expression: roles.^[primary=='true'].value
    • External namespace - Enter this expression: urn:ietf:params:scim:schemas:core:2.0:User
    • Attribute type - Select "Personal".

    This is how it should appear:
    attribute_dialog.png

  3. Click Save. 
  4. The role attribute is added to the Showpad User profile. Click the Mappings button.profile_editor2.png
  5. On the Okta User to Showpad tab, map your preferred Okta field to the Showpad role field. For example:profile_editor3.png
  6. Click Save Mappings.

You can now use this to attribute mapping to provision your Showpad admins and users.

Direct Managers

Before you begin to configure Direct Managers, it's important to know if you are capturing the Direct Manager value in your Okta User (default) profile:

  • No - You'll need to create an attribute for Direct Managers in both the Okta User (default) and Showpad User profiles.
  • Yes -You'll only need to create an attribute for Direct Managers in the Showpad User profiles.

Okta User profile

    1. Open the Directory menu in the Admin Console, select Profile Editor, and click on User (default). If you use a custom profile for your users, select that one.manager1.png
    2. Click the Add Attribute button.manager2.png
      Enter the following information:
      • Data type - Select the linked object data type.
      • Display name - Enter "direct_manager".
      • Variable name - Enter "direct_manager".
      • User permission - Select "Read Only".

      This is how it should appear:manager3.png

    3. Click Save. The role attribute is added to the Okta profile. manager4.png

Showpad User profile

  1. After you've created the direct_manager attribute for the Okta User (default) profile, click on Showpad User profile. Be sure All is selected in the Filters.showpad_user.png
  2. Click the Add Attribute button.profile_editor.png
    Enter the following information:
    • Data type - Select the string data type.
    • Display name - Enter "manager".
    • Variable name - Enter "showpad_manager".
    • External name - Enter this expression: manager.value
    • External namespace - Enter this expression: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
    • Attribute type - Select "Personal".

    This is how it should appear:manager5.png

  3. Click Save. 
  4. The role attribute is added to the Showpad User profile. Click the Mappings button.manager6.png
  5. On the Okta User to Showpad tab, map your preferred Okta field to the Showpad role field. For example:manager7.png

    Note: Be sure to use the object name you created in the Okta User (default) profile.

  6. Click Save Mappings.

Related articles

Get the latest apps and email integrations

iOS App Store Google Play Store Microsoft Store