- 06 Feb 2023
- 4 Minutes to read
- Print
- DarkLight
User Provisioning (SCIM) Integration with Okta
- Updated on 06 Feb 2023
- 4 Minutes to read
- Print
- DarkLight
Overview
This article discusses how to set up SCIM with the user authentication management platform, Okta .
The process described below involves multiple steps:
- Using the Okta Admin dashboard to set up the required infrastructure.
- Communicating with Preset Support to enable SCIM.
- Using User Groups in Preset.
We encourage you to follow each step in sequence and, if you have difficulties, please feel free to contact us at Preset Support.
It is not possible to create a SCIM integration without having an SSO integration already in place. If you haven't created an SSO integration yet, please refer to this tutorial.
Step 1: Enable SCIM provisioning on the Preset application in Okta
- Navigate to your company's Okta Admin dashboard. In the Main Menu, select Applications and, in the sub-menu, select Applications.
- On the Applications screen, select the application that was used to create the Single Sign On (SSO) integration with Preset.
- Navigate to the General tab, and click on Edit to change the settings.
- Enable SCIM provisioning:
You might need to engage the Okta Support team if you can't find one of these options - further details on this link .
Step 2: Request Preset to Enable SCIM
The SCIM integration needs to be approved by an admin of your Preset team. If you are not a Team Admin, share the support ticket with one so they can approve the implementation.
- Navigate to the Preset Support Ticket page.
- Create a Support Ticket with the following information:
- In the Summary field, please enter: Request to enable SCIM
- In the Give us more details field, please provide the following information:
- Your Team Name Slug. You can discover this by logging in to Preset as an Admin, navigating to the Team Settings screen, and copying the unique code at the end of your URL:
- The AppName from the application on Okta. You can get it from the URL when accessing the app in the Admin Console. The URL is usually on this structure:
https://<OktaTenant>-admin.okta.com/admin/app/<AppName>/instance/<AppID>/#tab-general
.
- Your Team Name Slug. You can discover this by logging in to Preset as an Admin, navigating to the Team Settings screen, and copying the unique code at the end of your URL:
Reminder: Confirm E-Mail Address
Please ensure that the e-mail address you provided in the ticket is correct, as we will send you additional configuration details to finalize the SCIM provisioning.
- Select Send.
Step 3: Information from Preset
After receiving your SCIM enable request, we will provide you with additional details that can be used to finalize the provisioning process.
These details include:
- SCIM Connector Base URL
- This will be in the following syntax:
https://manage.app.preset.io/api/v1/teams/{{team-name-slug}}/scim/v2/
- Please refer to the instructions above in Step 2 to find your team name slug.
- This will be in the following syntax:
- Unique Identifier Field for Users:
userName
- Authentication Mode:
Oauth 2
- Access Token Endpoint URI:
https://auth.app.preset.io/oauth/token
- Authorization Endpoint URI:
https://auth.app.preset.io/authorize?scope=offline_access
- Client ID - provided by support after the configuration is done on our end.
- Client Secret - provided by support after the configuration is done on our end.
Step 4: Input Details into Okta
- Return to your Okta Admin dashboard, navigate to your application, select the Provisioning tab, and then select Integration in the Settings menu.
- Enter the details that we provided to you. Here is an example:
- Select Save and then Re-authenticate with Preset.
Step 5: Import Users and Push Groups
- After authentication, in Okta, select Import to import users. For assistance, please refer to Okta's documentation
.
- Next, select Push Groups to push existing groups to the provisioned SCIM. For assistance, please refer to Okta's documentation
.
Step 6: User Groups in Preset
When Okta SSO is integrated with Preset, a new option called User Groups will appear in Settings at both the Team and Workspace level. Let's have a look at each of these.
User Groups at the Team Level
Navigate to User Groups (Team)
At the team level, Admins can assign a user role to all members of a user group (as defined in Okta).
To see how this works, when logged in as an Admin, navigate to the Team Settings screen by selecting the Gear icon.
In the Members section, there is a new tab called User Groups. Go ahead and select it.
In the graphic below, we selected User Groups and then expanded the Group Members section under Engineering.
Change User Role for Group Members
To change the user role for all members of a user group:
To the right of a user group name, select the drop-down menu and choose a user role. In the example below, we changed the role of every member of the Engineering group to User.
To verify, select All Members:
User Groups at the Workspace Level
The user group concept works the same at the workspace level as it does at the team level, with the difference being that workspace roles can be changed instead of user roles.
Navigate to User Groups (Workspace)
To navigate to workspace role settings, select the vertical ellipsis icon in a workspace card and then select Edit Workspace Roles.
Change Workspace Role for Group Members
As mentioned, the mechanics of User Groups at the workspace level is identical to the Team level described above.
In the graphic below, a user can select a workspace role (e.g., Workspace Admin, Primary Contributor, etc.) and, when chosen, the role will be applied to all group members that have access to the workspace.
The levels of access granted to different workspace roles are as follows:
Role | Feature Access | Data Access | Data Role Management |
---|---|---|---|
Workspace Admin | All | All | Yes |
Primary Contributor | All | All | No |
Secondary Contributor | All based on Data Access Role. Can create physical datasets. | Restricted | No |
Limited Contributor | Limited based on Data Access Role. Can only create virtual datasets. | Restricted | No |
Viewer | Published Charts and Dashboards, based on Data Access Role | Restricted | No |
Dashboard Viewer | Published Dashboards, based on Data Access Role | Restricted | No |
No Access | No | No | No |
To learn more about workspaces, please see About Workspaces.
Additionally, to learn more about how access roles work in Preset, please see: