cs-icon.svg

Set Up SCIM Provisioning with Okta

You can configure Contentstack as a provisioning app in Okta. This allows you to use Okta to provision or deprovision users automatically with Contentstack.

Note: Before proceeding with this guide, ensure that SCIM is a part of your Contentstack plan.

Here’s a step-by-step guide that explains how you can do this.

  1. Enable SCIM in Contentstack
  2. Install the Okta Generic SCIM App from Contentstack Marketplace
  3. Add the Contentstack App to Okta
  4. Configure Provisioning in Okta
  5. Assign Users and Groups to Your Application
  6. Create Group Mapping in Contentstack

Prerequisite

  1. Enable SCIM in Contentstack

    Note: Only the Owner or Admin users of an organization in Contentstack can perform this step.

    To allow provisioning of users in Contentstack’s organization through Okta, you need to enable SCIM in Contentstack by performing the following steps:

    1. Log in to your Contentstack account and go to the Organization Settings page.
    2. Go to the SCIM tab and select the Enable SCIM option.
      org_enable_scim.png

    3. On the resulting Enable SCIM modal, click Enable.
      enable_SCIM.png

  2. Install the Okta Generic SCIM App from Contentstack Marketplace

    1. On the left navigation panel, click the "Marketplace" icon and then Apps. Type out “Okta” in the search bar as follows: select_okta_frop_MP_apps.png

    2. Click the Okta Generic SCIM card and click Install App.
      Install_app.png
    3. In the resulting authorization window, click the Authorize & Install button.
      Okta-Install-App
    4. A SCIM URL and a Secret Token are generated on the successful installation of the app. Copy them both for future reference.
      scim_url_and_token.png
  3. Add the Contentstack App to Okta

    Note: In order to add Contentstack to the Okta application integration, you must be an administrator. To set up an app for Contentstack to use single sign-on (SSO), refer to our Configure Contentstack App in Okta. If you've already created an app for Contentstack, you can skip this step.

  4. Configure Provisioning in Okta

    To enable your app to use the provisioning feature, before adding or removing a user from the Contentstack organization, you need to perform the following steps:

    1. Navigate to the General tab and click Edit.
      general-edit.png
    2. Within your Contentstack app in Okta, check the Enable SCIM provisioning checkbox and click Save.
      enable_provisioning_and_save.png
    3. Go to the Provisioning tab, and click Edit. Provide the following credentials in the SCIM Connection window:
      • SCIM connector base URL: Contentstack’s SCIM URL is used as SCIM connector base URL. Enter the SCIM URL generated in step 2.4 while installing the Okta Generic SCIM app.
      • Unique identifier field for users: Enter a unique username.
      • Supported provisioning actions: Under this section, enable Push New Users, Push Profile Updates, and Push Groups.
      • Authentication mode: Select HTTP Header from the drop down.
      • HTTP Header: Add the Secret Token generated in step 2.4 as the Bearer token for the Authorization field.
        scim_connection_modal_credentials.png
    4. Click Test Connector Configuration (see above screenshot) to ensure the connection between the Okta and the Contentstack app is successful.

      Click Save to save the app provisioning configurations.

    5. Navigate to the Settings > To App > Contentstack Attribute Mappings section to map user attributes such as userName, givenName, and familyName.attribute_mapping.png
    6. Navigate back to the Settings > To App section and click Edit.
    7. Enable Create Users for provisioning, and Deactivate Users for deprovisioning.
      enable_provisioning_and_deprovisioning.png
    8. Click Save to save the provisioning settings.
  5. Assign Users and Groups to Your Application

    After configuring the provisioning settings, you need to assign either users or  groups (of users) to your app. Let’s see how to do them both.

  6. Assign People to Your Application

    To assign people to your application, perform the following steps:

    1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to People option.
      people_assignments.png
    2. You need to provide the individual's email address and click Assign.
      people_assignment_modal.png
    3. In the resulting people assignment modal, click Save and Go Back.
    4. Click Done to save the assignment. The people assignments are listed as shown below:
      view_people_assignment.png

    Assign Groups to Your Application

    To assign groups to your application, perform the following steps:

    1. Navigate to the Assignments tab. Click the Assign dropdown and select the Assign to Groups option.
      assign_groups.png
    2. Click Assign against the group for assigning the group to your app.
      assign_group_and_save.png
    3. In the resulting Assign Contentstack to Groups modal, provide the required information and click Save and Go Back. Then, click Done.

    Another way to assign groups to your application is via the Push Groups method where you add rules and all groups that meet the rules will be added to the Contentstack app. Here’s how to do it:

    1. Navigate to the Push Groups tab. Click the Push Groups dropdown and select Find groups by rule.
      push_groups.png
    2. In the resulting window, add some rules for the group and click Create Rule.
      create_rule.png

    Create a rule that matches with the groups to be pushed to Contentstack. For example, the rule created in the above screenshot will push all groups with a name that starts with “Contentstack” to your app (Contentstack).

  7. Create Group Mapping in Contentstack

    Group mapping refers to the process of assigning permissions to the SCIM groups at the organization level and the stack level in Contentstack. The permissions you set for a particular group will be applicable to all the users added to that group.

    To perform group mapping, perform the following steps:

    1. Go to the Organization Settings page in Contentstack and then to the SCIM tab.
    2. org_settings_open_SCIM.png
    3. From the SCIM Group dropdown, select the group for which you want to set permissions.
    4. select_group.png
    5. Select the Organization Role for the group.
    6. org_role.png
    7. Set Stack Role for the group. For example, if you set the “Developer” role for the “Developer stack” stack, users within the selected group will have a “Developer” role on that stack.
    8. stack_role.png
    9. Finally, click Update to update the changes in the group mappings.

This process sets up the SCIM Provisioning for your Contenstack account with the Okta.

Was this article helpful?
^