Setup Okta SSO
This integration enables authentication via OpenID Connect (OIDC) and automated user provisioning through System for Cross-domain Identity Management (SCIM).
Overview
Seemore integrates with Okta using:
OIDC (OpenID Connect) — user authentication
SCIM (System for Cross-domain Identity Management) — automated user and role provisioning
This setup allows Okta administrators to:
Manage Seemore users directly in Okta
Assign and sync roles (owner, admin, editor, viewer)
Automatically create or deactivate users
Prerequisites
Before you start:
Ensure you have Admin rights in both Okta and Seemore.
Obtain from Seemore:
SCIM base URL
Bearer token (from Integrations → SCIM Tokens)
Ensure each Okta user has a unique External ID for matching.
Enable SCIM provisioning in your Seemore tenant.
Okta group synchronization is not supported at this time.
Setup Steps
Step 1 — Create the Seemore App in Okta
In the Okta Admin Console, go to
Applications → Applications → Create App Integration.Select:
Sign-in method: OIDC – OpenID Connect
Application type: Web Application
Configure:
App name:
SeemoreLogin redirect URI:
Assign test users or groups to the app.
Step 2 — Configure OIDC in Seemore
In Seemore, open
Settings → Preferences → Authentication → Okta.
Enter:
Okta domain (from Okta)
Client ID / Secret (from the Okta app)
Save and test. You should be redirected to Okta for sign-in and back to Seemore upon success.
Step 3 — Enable SCIM Provisioning in Seemore
Check the box to Enable SCIM Provisioning and save.
Click
Create Token, thenSavethe generated token. You won’t be able to view it again later.
Step 4 — Enable SCIM Provisioning in Okta
Confirm that an OpenID Connect application has already been registered in the Okta Workforce tenant for OIDC-based authentication.
Confirm that your OpenID Connect application has disabled Federation Broker Mode.
Register a second application in Okta:
Go to
Applications → Applications → Create App IntegrationChoose Secure Web Authentication, then
Next
On the General App Settings page:
Set a name and a URL
Select
Do not display application icon to usersThe URL entered is not used in the SCIM integration
Select
Finish.Navigate to the General tab →
Edit→ Provisioning section.Choose
SCIM, thenSave.Navigate to
Provisioning → Integration → Edit, and configure the following:SCIM connector base URL: SCIM Endpoint URL copied earlier
Unique identifier field for users:
userNameUnder Supported provisioning actions, enable:
Push New Users
Push Profile Updates
Authentication Mode: HTTP Header
Paste the token value into the
Authorizationfield(Optional) Test the connection, then choose
Save.
Go to
Provisioning → Settings → To App → Edit, then:Enable
Create Users,Update User Attributes, andDeactivate UsersChoose
Save.
Under Attribute Mappings, se the X button to delete the following lines, which are not needed and may cause issues during PUT operations:
AttributeValuePrimary email type
(user.email != null && user.email != '') ? 'work' : ‘'Primary phone type
(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'Address type
(user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta's help section.
You can now test user provisioning in the Assignments tab or test update operations by editing user attributes under Directory → People in Okta.
Step 5 — Map User Attributes
Go to Provisioning → To App → Mappings and configure the below fields:
Add a custom property named externalId to link Okta users with Seemore users.
External name
externalId
External namespace
urn:ietf:params:scim:schemas:core:2.0:User
Data type
string
user.getInternalProperty("id")
user:external_id
Correlation ID between Okta and Seemore
user.email
user:role
Primary email address
💡 Important:
The key linking attribute is external_id under the namespace user.
This must correspond to Seemore’s internal user ID for proper linking.
Step 6 — Configure Role Assignment
Seemore expects roles as a multi-value SCIM attribute named roles.
In Okta:
Edit the Seemore app’s schema by adding a custom attribute:
Name:
rolesExternal name:
user:rolesType: Array
Map the Okta role or group to this attribute:
Okta source:
user.role(or your internal role field)Target:
roles
Allowed values:
owneradmineditorviewer
⚙️ Technical Note: The SCIM spec requires this field to be an array (e.g.,
[{type:"XXX", value: "admin"}]), not a single string.
Step 7 — Provision and Test
Assign a test user in Okta to the Seemore app.
Verify in Seemore:
User appears under Admin → Users
External ID and email are correct
Role will sync upon user’s first login (session-level role binding)
Troubleshooting
User not created
Invalid SCIM credentials
Check API token and Base URL
Duplicate users
external_id mismatch
Ensure user:external_id is unique
Roles missing
Sent as string
Change to array type
Role not visible post-provision
Role applies at session level
User must re-login
Validation Checklist
✅ SCIM connection tested successfully ✅ User created in Seemore after Okta push ✅ Role appears correctly after login ✅ External ID matches Seemore internal ID
Related Resources
Last updated