Set Up SCIM Provisioning with Okta Native App

You can configure Contentstack as a provisioning app in Okta. This allows you to use Okta to provision or deprovision users automatically with Contentstack.

NoteBefore proceeding with this guide, ensure that SCIM is a part of your Contentstack plan.

Here’s a step-by-step guide that explains how you can do this.

1. Enable SCIM in Contentstack
2. Add the Contentstack App to Okta
3. Configure Provisioning in Okta
4. Assign Users and Groups to your Application
5. Create Group Mapping in Contentstack

• Okta tenant that has permission to configure provisioning
• Contentstack account

1. Enable SCIM in Contentstack

   link

   NoteOnly the Owner or Admin users of an organization in Contentstack can perform this step.

   To allow provisioning of users in Contentstack’s organization through Okta Native App, you need to enable SCIM in Contentstack by performing the following steps:

   1. Log in to your Contentstack account.
   2. Click on the “Org Admin” icon in the left navigation panel.
   3. Click on the SCIM tab and enable the Enable SCIM toggle switch.
      Click to enlarge
   4. On the resulting Enable SCIM modal, click Enable
      Click to enlarge

2. Add the Contentstack App to Okta

   link

   NoteIn order to add Contentstack to the Okta application integration, you must be an administrator. If you've already created an app for Contentstack, you can skip this step.

   1. Log in to your Okta Admin account.
      Click to enlarge
   2. After logging in, you will see the Okta dashboard. Click on the Application tab and select Applications.
   3. In the Applications page, you will see your already created applications, if any.
      Click to enlarge
   4. Click the Browse App Catalog to set up an application for Contentstack.
      Click to enlarge
   5. Search for “Contentstack” within the Browse App Integration Catalog section and select the Contentstack app.
      Click to enlarge
   6. You will be redirected to the Contentstack application. Click on the Add Integration button.
      Click to enlarge
   7. You can edit the Application label as per your preference and click on Done.
      Click to enlarge
   8. Click Save.

3. Configure Provisioning in Okta

   link

   To enable your app to use the provisioning feature, you need to perform the following steps:

   1. Locate the Sign On tab and click the Edit button on Okta Configured App.
      Click to enlarge
   2. Enter the region-specific Application URL of the Contentstack app, as follows, to authorize Okta with SCIM in Contentstack.
      1. For North American region, use https://app.contentstack.com
      2. For Europe region, use https://eu-app.contentstack.com
      3. For Azure NA region, use https://azure-na-app.contentstack.com
      4. For Azure EU region, use https://azure-eu-app.contentstack.com
      5. For GCP NA region, use https://gcp-na-app.contentstack.com
   3. For Application username format, select Email from the dropdown.
      Click to enlarge
   4. Click Save.
   5. Click on Provisioning and then on Configure API Integration.
      Click to enlarge
   6. Select Enable API integration.
      Click to enlarge
   7. Navigate back to Contentstack. Click on the “Org Admin” icon and from the Organization Info page, copy the Organization ID.
   8. Next, you need to create the Base URL for the Contentstack Auth API. To do so, select the region-specific URL mentioned below, and replace ORG_ID with the Organization ID value you copied in the above step

      Region	Base URL
      North American	https://auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Europe	https://eu-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Azure NA	https://azure-na-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID
      Azure EU	https://azure-eu-auth-api.contentstack.com/scim/v2.0/organizations/ORG_ID

   9. Now enter this URL beside the Base URL field as shown below:
      Click to enlarge
   10. Click on Authenticate with Contentstack and you will be redirected to the Contentstack Okta app to authorize.
   11. Click on Authorize & Install.
       Click to enlarge
   12. Go to To App on the left under the Settings menu. Make sure you check all the values (as shown in screenshot below).
       Click to enlarge
   13. Click Save.

4. Assign Users and Groups to your Application

   link

   After configuring the provisioning settings, you need to assign either users or groups (of users) to your app. Let’s see how to do them both.

   Assign People to your Application

   link

   To assign people to your application, perform the following steps:

   1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to People option.
      
      Click to enlarge
   2. You need to provide the individual's email address and click the Assign button.
      
      Click to enlarge
   3. In the resulting people assignment modal, click Save and Go Back.
   4. Click Done to save the assignment. The people assignments are listed as shown below:
      
      Click to enlarge

   Assign Groups to your Application

   link

   To assign groups to your application, perform the following steps:

   1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to Groups option.
      
      Click to enlarge
   2. Click Assign against the group for assigning the group to your app.
      Click to enlarge
   3. Click Done.

   Another way to assign groups to your application is via the Push Groups method where you add rules and all groups that meet the rules will be added to the Contentstack app. Here’s how to do it:

   1. Navigate to the Push Groups tab. Click the Push Groups dropdown and select Find groups by rule.
      
      Click to enlarge
   2. In the resulting window, add some rules for the group and click Create Rule.
      
      Click to enlarge

   Create a rule that matches with the groups to be pushed to Contentstack. For example, if you have a rule created that will push all groups with a name that starts with “Contentstack” to your app (Contentstack).

5. Create Group Mapping in Contentstack

   link

   Group mapping refers to the process of assigning permissions to the SCIM groups at the organization level and the stack level in Contentstack. The permissions you set for a particular group will be applicable to all the users added to that group.

   To perform group mapping, perform the following steps:

   1. Click on the Org Admin icon on the left and then to the SCIM tab.
      Click to enlarge
   2. From the SCIM Group dropdown, select the group for which you want to set permissions.
      Click to enlarge
   3. Select the Organization Role for the group.
      Click to enlarge
   4. Set Stack Role for the group. For example, if you set the “Developer” role for the “Developer stack” stack, users within the selected group will have a “Developer” role on that stack.
      Click to enlarge
   5. Finally, click Update to update the changes in the group mappings.

This process sets up the SCIM Provisioning for your Contenstack account with the Okta native app.