Skip to main content

PRE-RELEASE Configure System for Cross-domain Identity Management (SCIM) with Okta

How to set up Stack Internal Enterprise for Okta SCIM 2.0 provisioning.

Joel Bradley avatar
Written by Joel Bradley
Updated over 3 weeks ago

PDF VERSION

Tags | Provisioning | Okta | SCIM |

Applies to: Enterprise

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Internal Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

NOTE: This document is in pre-release, and should not be used for SCIM setup. Follow the instructions in the Configure System for Cross-domain Identity Management (SCIM) with Okta article instead.

Overview

System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Internal Enterprise, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides Stack Internal Enterprise near-real-time updates to user status and role as changes happen at the IdP.

This article covers integrating Okta and your Stack Internal Enterprise site with SCIM. For a better understanding of using SCIM with Stack Internal Enterprise, read our SCIM 2.0 support article.

SOE supports the following features with Okta:

  • Create users

  • Update user attributes

  • Deactivate users

  • Import users

When setting up SCIM in Okta, you'll configure your Stack Internal Enterprise site and Okta in a back-and-forth process. We recommend having a browser tab open to each site.

NOTE: Setting up SCIM is a continuation of the Okta SAML SSO configuration process. If you haven't yet configured SSO in Okta, start with the Configure Single Sign-on (SSO) with Okta article.

Configure SCIM in Stack Internal Enterprise

  1. As a Stack Internal Enterprise admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.

  2. Configure the following settings:

    • SCIM Set to On to enable SCIM.

    • SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Okta. You can enter any string of characters, but be sure to follow best practices for creating a strong password. Stack Internal Enterprise hides the value by default. Click Show password to view and copy the value.

    • Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.

    • Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.

  3. Click Save settings.

Configure SCIM in Okta

There are two ways to configure SCIM for your Stack Internal Enterprise site with Okta. We recommend the app integration method below unless you can't (or choose not to) access the Okta App Integration Catalog. If you aren't using the Okta app integration, skip down to the "ALTERNATE MANUAL CONFIGURATION METHOD" section.

OKTA APP INTEGRATION METHOD

Return to the Stack Internal app you configured in the Configure Single Sign-on (SSO) with Okta article.

  1. Select the "Provisioning" tab, and click Configure API Integration.

  2. Check Enable API Integration.

  3. Set the following parameters.

    • OAuth Bearer Token Enter the SCIM authorization bearer token you created on your Stack Internal Enterprise SCIM settings page.

  4. Click Test API Credentials. You should get a "verified" message.

  5. Click Save.

  6. Click the "Provisioning" tab, then To App in the left-hand menu.

  7. Click the "Provisioning to App" Edit link.

  8. Click the checkboxes to enable Create Users, Update User Attributes, and Deactivate Users.

  9. Click Save.

When you deactivate or reactivate users assigned to this Okta SCIM app, the SCIM process will change their status on your Stack Internal Enterprise site as well.

ALTERNATE MANUAL CONFIGURATION METHOD

NOTE: The following steps allow for manual configuration of an Okta SCIM integration that remains separate from your Okta SSO integration. Use this process if you can't (or choose not to) access the Okta App Integration Catalog.

In Okta, you'll create a new SCIM application to integrate with Stack Internal Enterprise. This allows you to maintain separation between your SSO and SCIM integrations.

NOTE: Even if you have an existing Okta SSO application configured, you'll need to create a new SCIM application for this integration.

Create a new SCIM application in Okta

  1. From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.

  2. Search for SCIM 2.0 Test App (OAuth Bearer Token).

  3. Click Add to begin the setup.

  4. Select the "General Settings" tab.

  5. Enter a descriptive name (such as "Stack Internal SCIM") in the Application label field. You can leave other settings at their defaults, or change them depending upon your requirements.

  6. Click Next.

  7. Select the "Sign-On Options" tab.

  8. Make sure Application username format matches the User Identifier Assertion at https://[your_site].stackenterprise.co/enterprise/auth-settings. This is how Stack Internal Enterprise properly identifies users.

  9. Click Done.

  10. Select the "Provisioning" tab.

  11. Click Configure API Integration.

  12. Check Enable API Integration and set the following parameters:

    • SCIM 2.0 Base Url Set to https://[your_site].stackenterprise.co/api/scim/v2.

    • OAuth Bearer Token Enter the SCIM authorization bearer token you created on your Stack Internal Enterprise SCIM settings screen.

  13. Click Test API Credentials. You should get a "verified" message.

  14. Click Save.

  15. Click the "Provisioning" tab, then To App in the left-hand menu.

  16. Click Edit.

  17. Click the checkboxes to enable Create Users, Update User Attributes, and Deactivate Users.

  18. Click Save.

When you deactivate or reactivate users assigned to this Okta SCIM app, the SCIM process will change their status on your Stack Internal Enterprise site as well.

Assign users to the SCIM application

  1. In the SCIM 2.0 application in Okta, click the "Assignments" tab.

  2. Assign your users (and/or groups) with the Assign button.

BOTH METHODS: Configure administrator/moderator promotion and demotion (optional)

You can use SCIM to promote/demote users between administrator, moderator, and regular user roles. This requires defining a user type field in Okta and enabling user promotion on the SCIM integration settings page in Stack Internal Enterprise.

If you enable promotion, Stack Internal Enterprise will use the SCIM payload's stackUserType field to promote or demote users between admin, moderator, and regular user roles.

NOTE: Stack Internal Enterprise site administrators users have moderator privileges, but moderators do not have admin privileges.

To configure SCIM user promotion/demotion, follow these steps.

  1. In Stack Internal Enterprise, check the Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property checkboxes on the SCIM settings page.

  2. Click Save settings.

  3. Return to the Okta admin interface. Click Profile Editor in the left-hand menu's "Directory" section.

  4. Click the Stack Internal application, then Add Attribute.

  5. Create a new stackUserType attribute for the Stack Internal app (Okta appuser attribute, learn more here). The values Stack Internal Enterprise will accept for stackUserType are Admin, Moderator, and Registered. Stack Internal Enterprise will change user roles based on these values.

  6. Return to the profile editor and repeat steps 3-5, this time for User (default) instead of the Stack Internal app (Okta user attribute; learn more here).

  7. Click Profile Editor in the left-hand menu's "Directory" section, then Stack Internal Enterprise application.

  8. Click Mappings.

  9. Select Okta User to Stack Internal at the top of the screen.

  10. Scroll down to locate the new stackUserType field. Map user.stackUserType in the "user" column to stackUserType in the "appuser" column.

  11. Click Save Mappings.

BOTH METHODS: Update user department and job title (optional)

You can add optional user department and job title fields to your SCIM data. Adding these fields allows you to use Stack Internal Enterprise's connectivity reporting feature. Learn more in the Connectivity article.

To add user department and job title fields:

  1. In Okta, click the "Provisioning" tab of the Stack Internal app.

  2. Click To App in the left-hand menu.

  3. Scroll down to the "Stack Internal Attribute Mappings" section and click Show Unmapped Attributes.

  4. Click the pencil (edit) button in the "Title" field (jobTitle in SCIM).

  5. For Attribute value, select Map from Okta Profile.

  6. In the next field, select title | string.

  7. Set the Apply on field to Create and update.

  8. Click Save.

  9. Repeat step 4-8 above for the "Department" field, setting its value to department | string.

Limitations

  • Stack Internal Enterprise does not receive user group information from Okta. You can set up user groups to organize your users in Okta, but those group affiliations will not transfer to Stack Internal Enterprise.

  • When using Okta user groups, Okta does not consider group membership changes to be user events. If you add or remove a user from an Okta group, Okta will not send an SCIM request to Stack Internal Enterprise. To update your Stack Internal Enterprise site after changing a group roster in Okta, click Force Sync. This is a known limitation of Okta.

  • Enabling automatic user management by SCIM does not disable manual user management in Stack Internal Enterprise. An admin can disable a user in Stack Internal Enterprise, for example, without changing their status in Okta. Okta and Stack Internal Enterprise will then be out-of-sync. To avoid confusion, we recommend standardizing on a single user management workflow (Okta only or Stack Internal Enterprise in-app only–not both).

Did this answer your question?