Setup Okta SSO

This integration enables authentication via OpenID Connect (OIDC) and automated user provisioning through System for Cross-domain Identity Management (SCIM).

Overview

Seemore integrates with Okta using:

  • OIDC (OpenID Connect) — user authentication

  • SCIM (System for Cross-domain Identity Management) — automated user and role provisioning

This setup allows Okta administrators to:

  • Manage Seemore users directly in Okta

  • Assign and sync roles (owner, admin, editor, viewer)

  • Automatically create or deactivate users

Prerequisites

Before you start:

  • Ensure you have Admin rights in both Okta and Seemore.

  • Obtain from Seemore:

    • SCIM base URL

    • Bearer token (from Integrations → SCIM Tokens)

  • Ensure each Okta user has a unique External ID for matching.

  • Enable SCIM provisioning in your Seemore tenant.

Setup Steps

Step 1 — Create the Seemore App in Okta

  1. In the Okta Admin Console, go to Applications → Applications → Create App Integration.

  2. Select:

    • Sign-in method: OIDC – OpenID Connect

    • Application type: Web Application

  3. Configure:

    • App name: Seemore

    • Login redirect URI:

      https://<your-seemore-domain>/auth/okta/callback

  4. Assign test users or groups to the app.

Step 2 — Configure OIDC in Seemore

  1. In Seemore, open Settings → Preferences → Authentication → Okta.

  2. Enter:

    • Okta domain (from Okta)

    • Client ID / Secret (from the Okta app)

  3. Save and test. You should be redirected to Okta for sign-in and back to Seemore upon success.

Step 3 — Enable SCIM Provisioning in Seemore

  1. Check the box to Enable SCIM Provisioning and save.

  2. Click Create Token, then Save the generated token. You won’t be able to view it again later.

Step 4 — Enable SCIM Provisioning in Okta

  1. Confirm that an OpenID Connect application has already been registered in the Okta Workforce tenant for OIDC-based authentication.

  2. Confirm that your OpenID Connect application has disabled Federation Broker Mode.

  3. Register a second application in Okta:

    • Go to Applications → Applications → Create App Integration

    • Choose Secure Web Authentication, then Next

  4. On the General App Settings page:

    • Set a name and a URL

    • Select Do not display application icon to users

    • The URL entered is not used in the SCIM integration

  5. Select Finish.

  6. Navigate to the General tab → EditProvisioning section.

  7. Choose SCIM, then Save.

  8. Navigate to Provisioning → Integration → Edit, and configure the following:

    • SCIM connector base URL: SCIM Endpoint URL copied earlier

    • Unique identifier field for users: userName

    • Under Supported provisioning actions, enable:

      • Push New Users

      • Push Profile Updates

    • Authentication Mode: HTTP Header

    • Paste the token value into the Authorization field

    • (Optional) Test the connection, then choose Save.

  9. Go to Provisioning → Settings → To App → Edit, then:

    • Enable Create Users, Update User Attributes, and Deactivate Users

    • Choose Save.

  10. Under Attribute Mappings, se the X button to delete the following lines, which are not needed and may cause issues during PUT operations:

    Attribute
    Value

    Primary email type

    (user.email != null && user.email != '') ? 'work' : ‘'

    Primary phone type

    (user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'

    Address type

    (user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'

    Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta's help section.

You can now test user provisioning in the Assignments tab or test update operations by editing user attributes under Directory → People in Okta.

Step 5 — Map User Attributes

Go to Provisioning → To App → Mappings and configure the below fields:

Add a custom property named externalId to link Okta users with Seemore users.

Property
Value

External name

externalId

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Data type

string

Okta Attribute
Seemore Attribute
Description

user.getInternalProperty("id")

user:external_id

Correlation ID between Okta and Seemore

user.email

user:role

Primary email address

💡 Important: The key linking attribute is external_id under the namespace user. This must correspond to Seemore’s internal user ID for proper linking.

Step 6 — Configure Role Assignment

Seemore expects roles as a multi-value SCIM attribute named roles.

In Okta:

  1. Edit the Seemore app’s schema by adding a custom attribute:

    • Name: roles

    • External name: user:roles

    • Type: Array

  2. Map the Okta role or group to this attribute:

    • Okta source: user.role (or your internal role field)

    • Target: roles

  3. Allowed values:

    • owner

    • admin

    • editor

    • viewer

⚙️ Technical Note: The SCIM spec requires this field to be an array (e.g., [{type:"XXX", value: "admin"}]), not a single string.

Step 7 — Provision and Test

  1. Assign a test user in Okta to the Seemore app.

  2. Verify in Seemore:

    • User appears under Admin → Users

    • External ID and email are correct

    • Role will sync upon user’s first login (session-level role binding)

Troubleshooting

Symptom
Cause
Resolution

User not created

Invalid SCIM credentials

Check API token and Base URL

Duplicate users

external_id mismatch

Ensure user:external_id is unique

Roles missing

Sent as string

Change to array type

Role not visible post-provision

Role applies at session level

User must re-login

Validation Checklist

✅ SCIM connection tested successfully ✅ User created in Seemore after Okta push ✅ Role appears correctly after login ✅ External ID matches Seemore internal ID

Related Resources

PreviousAuthentication

Last updated