This guide will walk you through how to set up SCIM provisioning with Oktopost by configuring a custom application with your identity provider (IdP).
Requirements
To set up the automated provisioning, you must have admin access to Oktopost and to your identity provider's settings.
Features
The following provisioning actions can be supported:
Create Users
Creates a user in Oktopost when assigning the app to a user in your IdP.
Update User Attributes
Your identity provider can updates the users' attributes in Oktopost when the app is assigned. Future attribute changes made to the user profile in your IdP will automatically overwrite the corresponding attribute value in Oktopost.
Deactivate Users
Deactivates a user's Oktopost account when it is unassigned in your IdP or their IdP account is deactivated. Accounts can be reactivated if the app is reassigned to a user in the IdP.
Configuration Steps
For EU-hosted Oktopost accounts (ie: if you log in and see eu-app.oktopost.com as the URL), you must adjust any value that shows app.oktopost.com or board.oktopost.com to instead be eu-app.oktopost.com or eu-board.oktopost.com. Otherwise, ignore this box.
The Sign In Method for the custom application must be SAML 2.0
In the Configure SAML section, use the following details:
- Identifier URL: https://app.oktopost.com
- Reply URL: https://app.oktopost.com/auth/acs
- Single Sign On URL (optional for SP-initiated flows): https://app.oktopost.com/auth/login
- Audience URI (SP Entity ID): urn:oktopost:sp
- Default Relay State: null
- Provisioning: SCIM
The SCIM Connection settings should include
To enable automatic provisioning for Oktopost users, use the tenant URL: https://app.oktopost.com/scim/v2
To enable automatic provisioning for advocates, use the tenant URL: https://board.oktopost.com/scim/v2
- Unique identifier field for users: userName
- Authentication mode: HTTP
Optional Attribute Mappings
When setting up SCIM provisioning, ensure that the following user attributes are mapped in your IdP. At minimum, Oktopost requires userName, name.givenName, name.familyName, and emails (work, primary). We recommend mapping them as follows:
userName→userPrincipalNameormailname.givenName→givenNamename.familyName→surnameemails[type eq "work"].value→mail
Please note that Oktopost requires the Username and Email values to match for provisioning to work correctly. Without these mappings, user creation may fail or users may be skipped during sync.
Supported provisioning actions:
Authorization for HTTP Header: token from Oktopost's Settings->Security->Provisioning
Edit Provisioning to App to enable
- Create users
- Update user attributes
- Deactivate users
Currently, assigning user/advocate roles is not possible. System assumes the default role set in Oktopost.