# Setup Okta SSO This integration enables authentication via **OpenID Connect (OIDC)** and automated user provisioning through **System for Cross-domain Identity Management (SCIM)**. {% hint style="info" %} **Required role to configure:** [Admin](/external-docs/fundamentals/settings/user-roles.md) or higher. Users with lower roles can view this feature but cannot change its configuration. {% endhint %} *** ### Overview Seemore integrates with Okta using: * **OIDC (OpenID Connect)** — user authentication * **SCIM (System for Cross-domain Identity Management)** — automated user and role provisioning This setup allows Okta administrators to: * Manage Seemore users directly in Okta * Assign and sync roles (*owner, admin, editor, viewer*) * Automatically create or deactivate users *** ### Prerequisites Before you start: * Ensure you have **Admin rights** in both **Okta** and **Seemore**. * Obtain from Seemore: * **SCIM base URL** * **Bearer token** (from *Integrations → SCIM Tokens*) * Ensure each Okta user has a **unique External ID** for matching. * Enable **SCIM provisioning** in your Seemore tenant. {% hint style="info" %} Okta group synchronization is not supported at this time. {% endhint %} *** ### Setup Steps #### Step 1 — Create the Seemore App in Okta 1. In the **Okta Admin Console**, go to\ `Applications → Applications → Create App Integration`. 2. Select: * **Sign-in method:** OIDC – OpenID Connect * **Application type:** Web Application 3. Configure: * **App name:** `Seemore` * **Login redirect URI:** ``` https://datamaze.us.auth0.com/login/callback ``` 4. Assign test users or groups to the app. *** #### Step 2 — Configure OIDC in Seemore 1. In Seemore, open\ `Settings → Preferences → Authentication → Okta`.
2. Enter: * **Okta domain** (from Okta) * **Client ID / Secret** (from the Okta app)
3. Save and test.\ You should be redirected to Okta for sign-in and back to Seemore upon success. *** #### Step 3 — Enable SCIM Provisioning in Seemore 1. Check the box to **Enable SCIM Provisioning** and save.
2. Click `Create Token`, then `Save` the generated token.\ You won’t be able to view it again later.
*** #### Step 4 — Enable SCIM Provisioning in Okta 1. Confirm that an **OpenID Connect** application has already been registered in the Okta Workforce tenant for OIDC-based authentication. 2. Confirm that your OpenID Connect application has **disabled Federation Broker Mode**. 3. Register a second application in Okta: * Go to `Applications → Applications → Create App Integration` * Choose **Secure Web Authentication**, then `Next` 4. On the **General App Settings** page: * Set a name and a URL * Select `Do not display application icon to users` * The URL entered is not used in the SCIM integration 5. Select `Finish`. 6. Navigate to the **General** tab → `Edit` → **Provisioning** section. 7. Choose `SCIM`, then `Save`. 8. Navigate to `Provisioning → Integration → Edit`, and configure the following: * **SCIM connector base URL:** SCIM Endpoint URL copied earlier * **Unique identifier field for users:** `userName` * Under **Supported provisioning actions**, enable: * Push New Users * Push Profile Updates * **Authentication Mode:** HTTP Header * Paste the token value into the `Authorization` field * (Optional) Test the connection, then choose `Save`. 9. Go to `Provisioning → Settings → To App → Edit`, then: * Enable `Create Users`, `Update User Attributes`, and `Deactivate Users` * Choose `Save`. 10. Under **Attribute Mappings**, se the **X** button to **delete** the following lines, which are not needed and may cause issues during PUT operations: | Attribute | Value | | ------------------ | ------------------------------------------------------------------------ | | Primary email type | `(user.email != null && user.email != '') ? 'work' : ‘'` | | Primary phone type | `(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'` | | Address type | `(user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'` | Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta's help section. {% hint style="info" %} You can now test user provisioning in the **Assignments** tab or test update operations by editing user attributes under **Directory → People** in Okta. {% endhint %} *** #### Step 5 — Map User Attributes Go to `Provisioning → To App → Mappings` and configure the below fields: Add a custom property named `externalId` to link Okta users with Seemore users.
PropertyValue
External nameexternalId
External namespaceurn:ietf:params:scim:schemas:core:2.0:User
Data typestring
Okta AttributeSeemore AttributeDescription
user.getInternalProperty("id")user:external_idCorrelation ID between Okta and Seemore
user.emailuser:rolePrimary email address
{% hint style="warning" %} 💡 **Important:**\ The key linking attribute is `external_id` under the namespace `user`.\ This must correspond to Seemore’s internal user ID for proper linking. {% endhint %} *** #### Step 6 — Configure Role Assignment Seemore expects roles as a multi-value SCIM attribute named `roles`. In Okta: 1. Edit the Seemore app’s schema by adding a custom attribute: * **Name:** `roles` * **External name:** `user:roles` * **Type:** Array 2. Map the Okta role or group to this attribute: * **Okta source:** `user.role` (or your internal role field) * **Target:** `roles` 3. Allowed values: * `owner` * `admin` * `editor` * `viewer` > ⚙️ **Technical Note:**\ > The SCIM spec requires this field to be an array (e.g., `[{`type`:"XXX", value: "admin"}]`), not a single string. #### Step 7 — Provision and Test 1. Assign a test user in Okta to the Seemore app. 2. Verify in Seemore: * User appears under *Admin → Users* * External ID and email are correct * Role will sync upon user’s first login (session-level role binding) *** ### Troubleshooting | Symptom | Cause | Resolution | | ------------------------------- | ----------------------------- | ----------------------------------- | | User not created | Invalid SCIM credentials | Check API token and Base URL | | Duplicate users | `external_id` mismatch | Ensure `user:external_id` is unique | | Roles missing | Sent as string | Change to array type | | Role not visible post-provision | Role applies at session level | User must re-login | *** ### Validation Checklist ✅ SCIM connection tested successfully\ ✅ User created in Seemore after Okta push\ ✅ Role appears correctly after login\ ✅ External ID matches Seemore internal ID *** ### Related Resources * [Okta SCIM Integration Guide](https://developer.okta.com/docs/reference/scim/) * [OIDC setup with Okta](https://developer.okta.com/docs/guides/implement-auth-code/) * [Okta SCIM provisioning](https://developer.okta.com/docs/guides/scim-provisioning-integration-connect/main/#create-your-private-integration-in-okta) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.seemoredata.io/external-docs/fundamentals/getting-set-up/authentication/setup-okta-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.