Tags | Provisioning | Okta | SCIM |
ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Internal Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Internal Enterprise, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides Stack Internal Enterprise near-real-time updates to user status and role as changes happen at the IdP.
THIS ARTICLE APPLIES TO STACK INTERNAL ENTERPRISE ONLY.
Other Stack Internal users should read this article instead. Find your plan.
This article covers integrating Okta and your Stack Internal Enterprise site with SCIM. For a better understanding of using SCIM with Stack Internal Enterprise, read our SCIM 2.0 support article.
SOE supports the following features with Okta:
Create users
Update user attributes
Deactivate users
Import users
Import groups
When setting up SCIM in Okta, you'll configure your Stack Internal Enterprise site and Okta in a back-and-forth process. We recommend having a browser tab open to each site.
NOTE: Setting up SCIM is a continuation of the Okta SAML SSO configuration process. If you haven't yet configured SSO in Okta, start with the Configure Single Sign-on (SSO) with Okta article.
Configure SCIM in Stack Internal Enterprise
As a Stack Internal Enterprise admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.
Configure the following settings:
SCIM Set to On to enable SCIM.
SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Okta. You can enter any string of characters, but be sure to follow best practices for creating a strong password. Stack Internal Enterprise hides the value by default. Click Show password to view and copy the value.
Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.
Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.
Click Save settings.
Configure SCIM in Okta
In Okta, you'll create a new SCIM application to integrate with Stack Internal Enterprise. This allows you to maintain separation between your SSO and SCIM integrations.
NOTE: Even if you have an existing Okta SSO application configured, you'll need to create a new SCIM application for this integration.
Create a new SCIM application in Okta
From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.
Search for SCIM 2.0 Test App (OAuth Bearer Token).
Click Add to begin the setup.
Select the "General Settings" tab.
Enter a descriptive name (such as "SOE SCIM") in the Application label field. You can leave other settings at their defaults, or change them depending upon your requirements.
Click Next.
Select the "Sign-On Options" tab.
Make sure Application username format matches the User Identifier Assertion at https://[your_site].stackenterprise.co/enterprise/auth-settings. This is how Stack Internal Enterprise properly identifies users.
Click Done.
Select the "Provisioning" tab.
Click Configure API Integration.
Check Enable API Integration and set the following parameters:
SCIM 2.0 Base Url Set to https://[your_site].stackenterprise.co/api/scim/v2.
OAuth Bearer Token Enter the SCIM authorization bearer token you created on your Stack Internal Enterprise SCIM settings screen.
Click Test API Credentials. You should get a "verified" message.
Click Save.
Click the "Provisioning" tab, then To App in the left-hand menu.
On the "Provisioning" tab, click To App.
Click Edit.
Click the checkboxes to enable Create Users, Update User Attributes, and Deactivate Users.
Click Save.
When you deactivate or reactivate users assigned to this Okta SCIM app, the SCIM process will change their status on your Stack Internal Enterprise site as well.
Assign users to the SCIM application
In the SCIM 2.0 application in Okta, click the "Assignments" tab.
Assign your users (and/or groups) with the Assign button.
Configure administrator/moderator promotion and demotion (optional)
You can use SCIM to promote/demote users between administrator, moderator, and regular user roles. This requires defining a user type field in Okta and enabling user promotion on the SCIM integration settings page in Stack Internal Enterprise.
If you enable promotion, Stack Internal Enterprise will use the SCIM payload's stackUserType field to promote or demote users between admin, moderator, and regular user roles.
NOTE: Stack Internal Enterprise site administrators users have moderator privileges, but moderators do not have admin privileges.
To configure SCIM user promotion/demotion, follow these steps.
In Stack Internal Enterprise, check the Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property checkboxes on the SCIM settings page.
Click Save settings.
Return to the Okta admin interface. Click Profile Editor in the left-hand menu's "Directory" section.
Click the Stack Internal Enterprise application, then Add Attribute.
Create a new
stackUserTypeattribute for the Stack Internal Enterprise app (Okta appuser attribute, learn more here). The values Stack Internal Enterprise will accept forstackUserTypeare Admin, Moderator, and Registered. Stack Internal Enterprise will change user roles based on these values.Return to the profile editor and repeat steps 3-5, this time for User (default) instead of the Stack Internal Enterprise app (Okta user attribute; learn more here).
Click Profile Editor in the left-hand menu's "Directory" section, and click on Stack Internal Enterprise application, then click Mappings.
Select Okta User to Stack Internal Enterprise at the top of the screen.
Scroll down to locate the new
stackUserTypefield. Mapuser.stackUserTypein the "user" column tostackUserTypein the "appuser" column.Click Save Mappings.
Update user department and job title (optional)
You can add optional user department and job title fields to your SCIM data. Adding these fields allows you to use Stack Internal Enterprise's connectivity reporting feature. Learn more in the Connectivity article.
To add user department and job title fields:
In Okta, click the "Provisioning" tab of the Stack Internal Enterprise application.
Click To App in the left-hand menu.
Scroll down to the "Stack Internal Enterprise Attribute Mappings" section and click Show Unmapped Attributes.
Click the pencil (edit) button in the "Title" field (
jobTitlein SCIM).For Attribute value, select Map from Okta Profile.
In the next field, select title | string.
Set the Apply on field to Create and update.
Click Save.
Repeat step 4-8 above for the "Department" field, setting its value to department | string.
Limitations
When using user groups, Okta does not consider group membership changes to be user events. If you add or remove a user from an Okta group, Okta will not send an SCIM request to Stack Internal Enterprise. To update your Stack Internal Enterprise site after changing a group roster in Okta, click Force Sync. This is a known limitation of Okta.
Manual method only Enabling automatic user management by SCIM does not disable manual user management in Stack Internal Enterprise. An admin can disable a user in Stack Internal Enterprise, for example, without changing their status in Okta. Okta and Stack Internal Enterprise will then be out-of-sync. To avoid confusion, we recommend standardizing on a single user management workflow (Okta only or Stack Internal Enterprise in-app only–not both).