Portkey supports provisioning Users & Groups with Okta SAML Apps.

Okta does not support SCIM Provisioning with OIDC apps; only SAML apps are supported.

To set up SCIM provisioning between Portkey and Okta, you must first create a SAML App on Okta.

Setting up SCIM Provisioning

  1. Navigate to the app settings. Under general settings, enable the SCIM provisioning checkbox.

    The Provisioning tab should be visible after enabling SCIM provisioning. Navigate to that page.

  2. Obtain the Tenant URL and Secret Token from the Portkey Admin Settings page (if SCIM is enabled for your organization).

  3. Fill in the values from the Portkey dashboard into Okta’s provisioning settings and click Test Connection. If successful, click Save.

    Ensure you choose the Authentication Mode as HTTP Header.

  4. Check all the boxes as specified in the image below for full support of SCIM provisioning operations.

  5. Once the details are saved, you will see two more options along with integration, namely To App and To Okta.

    Select To App to configure provisioning from Okta to Portkey.

    Enable the following checkboxes:

    • Create Users
    • Update User Attributes
    • Deactivate Users

    After saving the settings, the application header should resemble the following image.

This completes the SCIM provisioning settings between Okta and Portkey.

Whenever you assign a User or Group to the application, Okta automatically pushes the updates to Portkey.

Organisation role support

Portkey supports the following organisation roles:

  • owner (Organization Owner)
  • admin (Organization Admin)
  • member (Organization Member)

Users assigned any other role will default to the member role.

Editing Attributes

Okta by default doesn’t support role attributes. To support role attributes, you need to edit the attributes in Okta.

  1. Navigate to the app settings. Under general settings, click on the Provisioning tab.

  2. Click on the Go to Profile Editor button, found under Attribute Mappings section.

  3. Click on the Add Attribute button.

  4. Fill the form with the following details:

  5. Click on the Save button.

Verifying the changes

To verify the changes, you can assign a user to the application with the desired role (e.g., owner, member, or admin) for the organization.

Make sure to select only one role for a user, if multiple selected user will be assigned to highest qualified role.

Group Provisioning with Okta

Portkey supports RBAC (Role-Based Access Control) for workspaces mapped to groups in Okta. Use the following naming convention for groups:

  • Format: ws-{group}-role-{role}
    • Role: One of admin, member, or manager
  • A user should belong to only one group per {group}.

Example: For a Sales workspace:

  • ws-Sales-role-admin
  • ws-Sales-role-manager
  • ws-Sales-role-member

Users assigned to these groups will inherit the corresponding role in Portkey.

Automatic provisioning with Okta works for Users, but it does not automatically work for Groups.

To support automatic provisioning for groups, you must first push the groups to the App (Portkey). Then, Okta will automatically provision updates.

To push the groups to Portkey, navigate to the Push Groups tab. If it is not found, ensure you have followed all the steps correctly and enabled all the fields mentioned in the Provisioning steps.

  1. Click on Push Groups.

  2. Select Find group by name.

  3. Enter the name of the group, select the group from the list, and click Save or Save & Add Another to assign a new group.

You can also use Find groups by rule to push multiple groups using a filter.

If there is any discrepancy or issue with group provisioning, you can retry provisioning by clicking the Push Now option. This can be found under the Push Status column in the groups list.

Support

If you encounter any issues with group provisioning, please reach out to us here.