User Provisioning (SCIM) Integration with Okta
  • 06 Feb 2023
  • 4 Minutes to read
  • Dark
    Light

User Provisioning (SCIM) Integration with Okta

  • Dark
    Light

Article Summary

Overview

This article discusses how to set up SCIM with the user authentication management platform, Okta external-link_10x10.

The process described below involves multiple steps:

  1. Using the Okta Admin dashboard to set up the required infrastructure.
  2. Communicating with Preset Support to enable SCIM.
  3. Using User Groups in Preset.

We encourage you to follow each step in sequence and, if you have difficulties, please feel free to contact us at Preset Support.

Single Sign On (SSO) Requirement

It is not possible to create a SCIM integration without having an SSO integration already in place. If you haven't created an SSO integration yet, please refer to this tutorial.


Step 1: Enable SCIM provisioning on the Preset application in Okta

  1. Navigate to your company's Okta Admin dashboard. In the Main Menu, select Applications and, in the sub-menu, select Applications.
  2. On the Applications screen, select the application that was used to create the Single Sign On (SSO) integration with Preset.
  3. Navigate to the General tab, and click on Edit to change the settings.
  4. Enable SCIM provisioning:
    SCIM_Provisioning_Okta.png
Okta Support

You might need to engage the Okta Support team if you can't find one of these options - further details on this link external-link_10x10.


Step 2: Request Preset to Enable SCIM

Admin Approval

The SCIM integration needs to be approved by an admin of your Preset team. If you are not a Team Admin, share the support ticket with one so they can approve the implementation.

  1. Navigate to the Preset Support Ticket page.
  2. Create a Support Ticket with the following information:
  3. In the Summary field, please enter: Request to enable SCIM
  4. In the Give us more details field, please provide the following information:
    1. Your Team Name Slug. You can discover this by logging in to Preset as an Admin, navigating to the Team Settings screen, and copying the unique code at the end of your URL:
      Team_Name_Slug1
    2. The AppName from the application on Okta. You can get it from the URL when accessing the app in the Admin Console. The URL is usually on this structure: https://<OktaTenant>-admin.okta.com/admin/app/<AppName>/instance/<AppID>/#tab-general.

Reminder: Confirm E-Mail Address

Please ensure that the e-mail address you provided in the ticket is correct, as we will send you additional configuration details to finalize the SCIM provisioning.

  1. Select Send.

Step 3: Information from Preset

After receiving your SCIM enable request, we will provide you with additional details that can be used to finalize the provisioning process.

These details include:

  • SCIM Connector Base URL
    • This will be in the following syntax: https://manage.app.preset.io/api/v1/teams/{{team-name-slug}}/scim/v2/
    • Please refer to the instructions above in Step 2 to find your team name slug.
  • Unique Identifier Field for Users: userName
  • Authentication Mode: Oauth 2
  • Access Token Endpoint URI: https://auth.app.preset.io/oauth/token
  • Authorization Endpoint URI: https://auth.app.preset.io/authorize?scope=offline_access
  • Client ID - provided by support after the configuration is done on our end.
  • Client Secret - provided by support after the configuration is done on our end.

Step 4: Input Details into Okta

  1. Return to your Okta Admin dashboard, navigate to your application, select the Provisioning tab, and then select Integration in the Settings menu.
  2. Enter the details that we provided to you. Here is an example:

Okta_SCIM_Provisioning_Details

  1. Select Save and then Re-authenticate with Preset.

Step 5: Import Users and Push Groups

  1. After authentication, in Okta, select Import to import users. For assistance, please refer to Okta's documentation external-link_10x10.
  2. Next, select Push Groups to push existing groups to the provisioned SCIM. For assistance, please refer to Okta's documentation external-link_10x10.

Step 6: User Groups in Preset

When Okta SSO is integrated with Preset, a new option called User Groups will appear in Settings at both the Team and Workspace level. Let's have a look at each of these.

User Groups at the Team Level

Navigate to User Groups (Team)

At the team level, Admins can assign a user role to all members of a user group (as defined in Okta).

To see how this works, when logged in as an Admin, navigate to the Team Settings screen by selecting the Gear icon.

Navigate_to_Team_Page1

In the Members section, there is a new tab called User Groups. Go ahead and select it.

In the graphic below, we selected User Groups and then expanded the Group Members section under Engineering.

User_Groups_Team_Level1

Change User Role for Group Members

To change the user role for all members of a user group:

To the right of a user group name, select the drop-down menu and choose a user role. In the example below, we changed the role of every member of the Engineering group to User.

Make_all_Team_Members_a_User

To verify, select All Members:

Make_all_Team_Members_a_User2

User Groups at the Workspace Level

The user group concept works the same at the workspace level as it does at the team level, with the difference being that workspace roles can be changed instead of user roles.

Navigate to User Groups (Workspace)

To navigate to workspace role settings, select the vertical ellipsis icon in a workspace card and then select Edit Workspace Roles.

Edit_Workspace_Roles

Change Workspace Role for Group Members

As mentioned, the mechanics of User Groups at the workspace level is identical to the Team level described above.

In the graphic below, a user can select a workspace role (e.g., Workspace Admin, Primary Contributor, etc.) and, when chosen, the role will be applied to all group members that have access to the workspace.

Change_Workspace_Roles_in_User_Groups

The levels of access granted to different workspace roles are as follows:

RoleFeature AccessData AccessData Role Management
Workspace AdminAllAllYes
Primary ContributorAllAllNo
Secondary ContributorAll based on Data Access Role. Can create physical datasets.RestrictedNo
Limited ContributorLimited based on Data Access Role. Can only create virtual datasets.RestrictedNo
ViewerPublished Charts and Dashboards, based on Data Access RoleRestrictedNo
Dashboard ViewerPublished Dashboards, based on Data Access RoleRestrictedNo
No AccessNoNoNo

To learn more about workspaces, please see About Workspaces.

Additionally, to learn more about how access roles work in Preset, please see:


Was this article helpful?

What's Next