docs/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md

title	shortTitle	intro	product	permissions	allowTitleToDifferFromFilename	versions	redirect_from	type	topics
Configuring {% ifversion ghec %}SCIM{% else %}authentication and{% endif %} provisioning with Okta	Set up Okta	Learn how to configure Okta to communicate with your enterprise{% ifversion ghec %} on {% data variables.product.prodname_dotcom_the_website %} or {% data variables.enterprise.data_residency_site %}{% endif %}.	{% data reusables.gated-features.emus %}	{% ifversion ghes %}Site administrators{% else %}People{% endif %} with admin access to the IdP	true	ghec feature * scim-for-ghes-public-beta	/early-access/github/articles/configuring-provisioning-for-managed-users-with-okta /github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta /admin/authentication/managing-your-enterprise-users-with-your-identity-provider/configuring-scim-provisioning-for-enterprise-managed-users-with-okta /admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users-with-okta /admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta /admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta /admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-with-okta /admin/managing-iam/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-with-okta	tutorial	Accounts Authentication Enterprise SSO

{% data reusables.scim.ghes-beta-note %}

About provisioning with Okta

If you use Okta as an IdP, you can use Okta's application to provision user accounts, manage enterprise membership, and manage team memberships for organizations in your enterprise. Okta is a partner IdP, so you can simplify your authentication and provisioning configuration by using the Okta application {% ifversion ghec %}for {% data variables.product.prodname_emus %}. For more information, see "AUTOTITLE."{% else %}to manage both SAML single-sign on and SCIM provisioning on {% data variables.product.prodname_ghe_server %}.{% endif %}

Alternatively, if you only intend to use Okta for SAML authentication and you want to use a different IdP for provisioning, you can integrate with {% data variables.product.prodname_dotcom %}'s REST API for SCIM. For more information, see "AUTOTITLE."

Supported features

{% ifversion ghec %}{% data variables.product.prodname_emus %}{% else %}{% data variables.product.prodname_ghe_server %}{% endif %} supports the following provisioning features for Okta.

Feature	Description
Push New Users	Users that are assigned to {% ifversion ghec %}the {% data variables.product.prodname_emu_idp_application %}{% else %}{% data variables.product.company_short %}'s{% endif %} application in Okta are automatically created in the enterprise on {% data variables.product.product_name %}.
Push Profile Update	Updates made to the user's profile in Okta will be pushed to {% data variables.product.product_name %}.
Push Groups	Groups in Okta that are assigned to the {% ifversion ghec %}the {% data variables.product.prodname_emu_idp_application %}{% else %}{% data variables.product.company_short %}'s{% endif %} application as Push Groups are automatically created in the enterprise on {% data variables.product.product_name %}.
Push User Deactivation	Unassigning the user from {% ifversion ghec %}the {% data variables.product.prodname_emu_idp_application %}{% else %}{% data variables.product.company_short %}'s{% endif %} application in Okta will disable the user on {% data variables.product.product_name %}. The user will not be able to sign in, but the user's information is maintained.
Reactivate Users	Users in Okta whose Okta accounts are reactivated and who are assigned back to {% ifversion ghec %}the {% data variables.product.prodname_emu_idp_application %}{% else %}{% data variables.product.company_short %}'s{% endif %} application on Okta will be enabled.

{% ifversion ghec %}

[!NOTE] {% data variables.product.prodname_emus %} does not support modifications to usernames.

{% endif %}

Prerequisites

{% ifversion ghes %} The general prerequisites for using SCIM on {% data variables.product.product_name %} apply. See the "Prerequisites" section in "AUTOTITLE."

In addition:

• To configure SCIM, you must have completed steps 1 to 4 in "AUTOTITLE."
  • You will need the {% data variables.product.pat_v1 %} created for the setup user to authenticate requests from Okta. {% else %} If you're configuring SCIM provisioning for a new enterprise, make sure to complete all previous steps in the initial configuration process. See "AUTOTITLE."

In addition: {% endif %}

• You must use Okta's application for both authentication and provisioning.
• {% data reusables.scim.your-okta-product-must-support-scim %}

{% ifversion ghes %}

1. Configure SAML

During the {% data variables.release-phases.public_preview %} of SCIM on {% data variables.product.prodname_ghe_server %}, you will use the GitHub AE application in Okta to configure SAML authentication and SCIM provisioning. Do not use the "{% data variables.product.prodname_ghe_server %}" application, which is incompatible with {% data variables.product.prodname_dotcom %}'s latest SCIM API endpoints.

Before starting this section, ensure you have followed steps 1 and 2 in "AUTOTITLE."

In Okta

1. Go to the GitHub AE application in Okta.

2. Click Add integration.

3. In the general settings, for the base URL, enter your {% data variables.product.prodname_ghe_server %} host URL (https://HOSTNAME.com).

4. Click the Sign On tab.

5. Ensure the "Credential Details" match the following.

   • "Application username format": Okta username
   • "Update application username on": Create and update
   • "Password reveal": Deselected

6. In the "SAML Signing Certificates" section, download your certificate by selecting Actions, then clicking Download certificate.

7. On the right side of the page, click View SAML setup instructions.

8. Make a note of the "Sign on URL" and the "Issuer" URL.

On {% data variables.product.product_name %}

1. Sign in to {% data variables.location.product_location %} as a user with access to the Management Console.
2. Configure SAML using the information you have gathered. See "AUTOTITLE."

2. Configure SCIM

After configuring your SAML settings, you can proceed to configure provisioning settings.

{% elsif ghec %}

Configuring SCIM

After you have configured your SAML settings in Okta's app, you can proceed to configure provisioning settings. If you haven't already configured SAML settings, see "AUTOTITLE."

{% endif %}

{% ifversion ghec %} To configure provisioning, the setup user {% ifversion ghec %}with the @SHORT-CODE_admin username {% endif %}will need to provide a {% data variables.product.pat_v1 %} with the scim:enterprise scope. See "AUTOTITLE." {% else %} Before starting this section, ensure you have followed steps 1 to 4 in "AUTOTITLE." {% endif %}

1. Navigate to your {% data variables.product.prodname_emu_idp_application %} application on Okta.

2. Click the Provisioning tab.

3. In the settings menu, click Integration.

4. To make changes, click Edit.

5. Click Configure API integration.

6. In the "API Token" field, enter the {% data variables.product.pat_v1 %} belonging to the setup user.

   {% data reusables.scim.import-groups-unsupported %}

7. Click Test API Credentials. If the test is successful, a verification message will appear at the top of the screen.

8. To save the token, click Save.

9. In the settings menu, click To App.

10. To the right of "Provisioning to App", to allow changes to be made, click Edit.

11. Select Enable to the right of Create Users, Update User Attributes, and Deactivate Users.

12. To finish configuring provisioning, click Save.

{% ifversion ghes %}

When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See "AUTOTITLE."

{% endif %}

How do I assign users and groups?

{% data reusables.enterprise-managed.assigning-users %}

{% data reusables.scim.emu-scim-rate-limit %}

You can also automatically manage organization membership by adding groups to the "Push Groups" tab in Okta. When the group is provisioned successfully, it will be available to connect to teams in the enterprise's organizations. For more information about managing teams, see "AUTOTITLE."

{% data reusables.enterprise-managed.assigning-roles %}

[!NOTE] You can only set the "Roles" attribute for an individual user, not a group. If you want to set roles for everyone in a group that is assigned to the application in Okta, you must use the "Roles" attribute for each group member, individually.

How do I deprovision users and groups?

To remove a user or group from {% data variables.product.product_name %}, remove the user or group from both the "Assignments" tab and the "Push groups" tab in Okta. For users, make sure the user is removed from all groups in the "Push Groups" tab.