Okta user provisioning with SCIM

Okta and Showpad work together to make user provisioning a breeze for your organization. SCIM is designed to make managing user identities in cloud-based applications and services easier. SCIM has a set of default contracts for users and groups, which can be extended to work hand-in-hand with Okta. 

Key features

• Users in Okta can be automatically added as members of your organization in Showpad
• User attributes updated in Okta will be pushed automatically to Showpad
• Deactivate and reactivate users via Okta and see those changes in Showpad
• Groups created in Okta will be pushed automatically to your Showpad instance

You need this to succeed

• Showpad’s Platform Enterprise package
• Available as an add-on for the Showpad Plus pricing plan
• Administrator access on both Showpad's Online Platform and Okta

Do this step by step

Enabling the SCIM API

1. In the admin settings section of the Online Platform, ensure that SCIM provisioning is enabled in the sign-on settings. Do this by clicking the gear icon, selecting Admin Settings, and then Sign-On. Toggle on the SCIM setting.
   
2. Just below Sign-On, select API under the Integrations column to the left. Select API Tokens to create your token.
3. Enter a name for your new API token. You can choose to set an expiration date. Click Add. This is also where you can revoke access to other tokens you have created.
   API Tokens are linked to the permissions of the user creating them. Creating them for a user who will exist for a long time or has an Owner or Manager role is a good practice here. 

From your Okta admin portal

Note: If you have not set up SSO with Okta before, make sure to do so before continuing these steps. Learn how to set up SSO for Showpad via Okta here.

1. Click on the Provisioning tab and then select Configure API Integration. 
2. Enter the base URL in this format:
   https://[your_organization_name].showpad.biz/api/users/scim/v2
   Paste the API Token you previously obtained from Showpad.
   Check the box to Import Groups. This will sync all existing groups from Okta into Showpad.
   
   
3. Test API Credentials and click Save when ready. 
4. To enable the different provisioning options of Okta to Showpad, check the corresponding boxes.
   
   • Create users will create or link users in Showpad when assigning the app to a user in Okta.
   • Update user Attributes will allow Okta to update a user's attributes in Showpad when the app is assigned to them. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in Showpad. This needs to be enabled for auto-provisioning sync for user updates to work.
   • When enabled, the option to Deactivate Users will deactivate a user's Showpad account when they are unassigned to the app in Okta, or when their Okta account is deactivated. They can be reactivated if the Showpad app is reassigned to them in Okta.
   Click Save after enabling your selections.
5. After enabling the provisioning options, scroll down to make any changes to the Showpad Attribute Mapping. Click the edit icon to change attributes as needed, and whether they are applied on create and/or create and update.
6. Open the Assignments tab, then click Assign. Choose to assign the Showpad app to People or Groups. These users will be automatically created in your Showpad instance and will receive an invitation email. Groups and their user membership will also be pushed to Showpad automatically.
7. To push groups from Okta to Showpad, open the Push Groups tab. Search for the group, then click Create Group, then click Save. 
8. You will see the group's Last Push date and Push Status as Active. Click the Push Status to update it.
   Deactivate group push will stop pushing group memberships. Existing members will be unaffected by this change. 
   Unlink pushed group will stop pushing group members and optionally delete the pushed group from Showpad.
   Push now will push this group's memberships to Showpad.Currently, from Showpad to Okta, the following activities are not supported: user deletion, provisioning of roles, provisioning of direct managers, and reactivating deactivated users.