SCIM Provisioning with Okta
This guide explains how to set up SCIM provisioning between Okta and Descope, enabling Okta to push users, user updates, deactivations, and groups to a Descope tenant.
Prerequisites
- A functional SSO configuration between Okta and Descope must be in place.
- A Descope tenant must be configured with an associated Access Key that includes the
Tenant Adminrole. - Assigned users and groups must exist in the Okta application.
- If SCIM is being used, disable JIT provisioning for the tenant in Tenant Settings to prevent potential attribute conflicts during login.
Step 1: Enable SCIM Provisioning in Okta
- Open your Okta application for Descope.
- Go to the General tab.
- Scroll down and check Enable SCIM provisioning.
- Click Save. This will reveal the Provisioning tab.
Step 2: Configure the SCIM Integration
- Go to the Provisioning tab and click Edit in the SCIM Connection section.
- Enter the following values:
| Field | Value |
|---|---|
| SCIM Connector Base URL | https://api.descope.com/scim/v2 |
| Unique Identifier Field for Users | email |
| Supported Actions | Enable: Push New Users, Push Profile Updates, Push Groups |
| Authentication Mode | HTTP Header |
| Authorization Header | Bearer <ProjectID>:<AccessKey> |
The SCIM Connector Base URL can be found in the SCIM Provisioning section under your tenant's SSO configuration in the Descope Console.
- Click Test Connector Configuration. A successful test confirms support for creating users, updating attributes, and group management.
Step 3: Enable Provisioning Actions
In the To App section under Provisioning:
-
Check the following options:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save.
Step 4: Push Groups from Okta to Descope
- Go to the Push Groups tab in your Okta app.
- Select groups to push to Descope.
- These groups will be interpreted as Descope Roles and can be used for access control in flows and session-based policies.
For additional details on role mapping, see the SSO Group Mapping Guide.
Was this helpful?