cs-icon.svg

Set Up SCIM Provisioning with Okta Native App

You can configure Contentstack as a provisioning app in Okta. This allows you to use Okta to provision or deprovision users automatically with Contentstack.

Note: Before proceeding with this guide, ensure that SCIM is a part of your Contentstack plan.

Here’s a step-by-step guide that explains how you can do this.

  1. Enable SCIM in Contentstack
  2. Add the Contentstack App to Okta
  3. Configure Provisioning in Okta
  4. Assign Users and Groups to your Application
  5. Create Group Mapping in Contentstack

Prerequisite

  1. Enable SCIM in Contentstack
  2. Note: Only the Owner or Admin users of an organization in Contentstack can perform this step.

    To allow provisioning of users in Contentstack’s organization through Okta Native App, you need to enable SCIM in Contentstack by performing the following steps:

    1. Log in to your Contentstack account.
    2. Click on the “Org Admin” icon in the left navigation panel.
    3. Click on the SCIM tab and enable the Enable SCIM toggle switch.1_Enable_SCIM_Toggle.png
    4. On the resulting Enable SCIM modal, click Enable2_Enable_SCIM_Modal.png

  3. Add the Contentstack App to Okta
  4. Note: In order to add Contentstack to the Okta application integration, you must be an administrator. If you've already created an app for Contentstack, you can skip this step.

    1. Log in to your Okta Admin account.3_Okta_Admin_Login.png
    2. After logging in, you will see the Okta dashboard. Click on the Application tab and select Applications.
    3. In the Applications page, you will see your already created applications, if any.4_Applications_Page.png
    4. Click the Browse App Catalog to set up an application for Contentstack.5_Browse_App_Catalog.png
    5. Search for “Contentstack” within the Browse App Integration Catalog section and select the Contentstack app.6_Browse_App_Integration_Catalog.png
    6. You will be redirected to the Contentstack application. Click on the Add Integration button.7_Add_Integration_Button.png
    7. You can edit the Application label as per your preference and click on Done.8_Application_label.png
    8. Click Save.

  5. Configure Provisioning in Okta
  6. To enable your app to use the provisioning feature, you need to perform the following steps:

    1. Locate the Sign On tab and click the Edit button on Okta Configured App.9_Edit_in_SSO_Tab.png
    2. Enter the region-specific Application URL of the Contentstack app, as follows, to authorize Okta with SCIM in Contentstack.
      1. For North American region, use https://app.contentstack.com
      2. For Europe region, use https://eu-app.contentstack.com
      3. For Azure NA region, use https://azure-na-app.contentstack.com
      4. For Azure EU region, use https://azure-eu-app.contentstack.com
    3. For Application username format, select Email from the dropdown.13_Application_username_format.png
    4. Click Save.
    5. Click on Provisioning and then on Configure API Integration.14_Configure_API_Integration_in_Provisioning.png
    6. Select Enable API integration. 15_Enable_API_integration.png
    7. Navigate back to Contentstack. Click on the “Org Admin” icon and from the Organization Info page, copy the Organization ID.
    8. Next, you need to create the Base URL for the Contentstack Auth API. To do so, select the region-specific URL mentioned below, and replace ORG_ID with the Organization ID value you copied in the above step
      Region Base URL
      North American https://auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Europe https://eu-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Azure NA https://azure-na-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Azure EU https://azure-eu-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
    9. Now enter this URL beside the Base URL field as shown below:16_Base_URL.png
    10. Click on Authenticate with Contentstack and you will be redirected to the Contentstack Okta app to authorize.
    11. Click on Authorize & Install. 17_Authorize_&_Install.png
    12. Go to To App on the left under the Settings menu. Make sure you check all the values (as shown in screenshot below).18_To_App.png
    13. Click Save.

  7. Assign Users and Groups to your Application
  8. After configuring the provisioning settings, you need to assign either users or groups (of users) to your app. Let’s see how to do them both.

    Assign People to your Application

    To assign people to your application, perform the following steps:

    1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to People option.
      19_Assign_to_People_Button.png
    2. You need to provide the individual's email address and click the Assign button.
      20_Assign_CS_to_People.png
    3. In the resulting people assignment modal, click Save and Go Back.
    4. Click Done to save the assignment. The people assignments are listed as shown below:
      21_People_assignments.png

    Assign Groups to your Application

    To assign groups to your application, perform the following steps:

    1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to Groups option.
      22_Assign_to_Groups_Button.png
    2. Click Assign against the group for assigning the group to your app.23_Assign_CS_to_Groups.png
    3. Click Done.

    Another way to assign groups to your application is via the Push Groups method where you add rules and all groups that meet the rules will be added to the Contentstack app. Here’s how to do it:

    1. Navigate to the Push Groups tab. Click the Push Groups dropdown and select Find groups by rule.
      24_Find_groups_by_rule.png
    2. In the resulting window, add some rules for the group and click Create Rule.
      25_Create_Rule.png

    Create a rule that matches with the groups to be pushed to Contentstack. For example, if you have a rule created that will push all groups with a name that starts with “Contentstack” to your app (Contentstack).

  9. Create Group Mapping in Contentstack
  10. Group mapping refers to the process of assigning permissions to the SCIM groups at the organization level and the stack level in Contentstack. The permissions you set for a particular group will be applicable to all the users added to that group.

    To perform group mapping, perform the following steps:

    1. Click on the Org Admin icon on the left and then to the SCIM tab.
    2. From the SCIM Group dropdown, select the group for which you want to set permissions.
    3. Select the Organization Role for the group.
    4. Set Stack Role for the group. For example, if you set the “Developer” role for the “Developer stack” stack, users within the selected group will have a “Developer” role on that stack.
    5. Finally, click Update to update the changes in the group mappings.

This process sets up the SCIM Provisioning for your Contenstack account with the Okta native app.

Was this article helpful?
^