ManagementTenantsSCIM

SCIM Provisioning with Okta

This guide explains how to set up SCIM provisioning between Okta and Descope, enabling Okta to push users, user updates, deactivations, and groups to a Descope tenant.

Prerequisites

  • A functional SSO configuration between Okta and Descope must be in place.
  • A Descope tenant must be configured with an associated Access Key that includes the Tenant Admin role.
  • Assigned users and groups must exist in the Okta application.

Who gets provisioned is controlled in Okta

Okta only pushes users to Descope if they are assigned to the Okta application (the "Assignments" tab) — either directly or as a member of a group that is assigned. Note that Okta's Push Groups feature (which pushes group objects to Descope via SCIM) is separate from Assignments — being a member of a pushed group does not mean the user is assigned to the app, and only assigned users are provisioned. Similarly, Okta's Group Attribute Statements (SAML) and OIDC group claims, which control what groups are sent in the authentication assertion, are a separate concern again. With JIT disabled, a user who is not assigned cannot log in to your application.

For ongoing onboarding, the recommended pattern is to assign a group to the Okta application rather than assigning users one by one. New employees added to the group are then provisioned automatically. See SCIM Best Practices for the full pattern.

Step 1: Enable SCIM Provisioning in Okta

  1. Open your Okta application for Descope.
  2. Go to the General tab.
  3. Scroll down and check Enable SCIM provisioning.
  4. Click Save. This will reveal the Provisioning tab.

Enable SCIM provisioning in Okta

Step 2: Configure the SCIM Integration

  1. Go to the Provisioning tab and click Edit in the SCIM Connection section.
  2. Enter the following values:
FieldValue
SCIM Connector Base URLhttps://api.descope.com/scim/v2
Unique Identifier Field for Usersemail
Supported ActionsEnable: Push New Users, Push Profile Updates, Push Groups
Authentication ModeHTTP Header
Authorization HeaderBearer <ProjectID>:<AccessKey>

The SCIM Connector Base URL can be found in the SCIM Provisioning section under your tenant's SSO configuration in the Descope Console.

Tenant URL

  1. Click Test Connector Configuration. A successful test confirms support for creating users, updating attributes, and group management.

SCIM connector configuration in Okta

Step 3: Enable Provisioning Actions

In the To App section under Provisioning:

  • Check the following options:

    • Create Users
    • Update User Attributes
    • Deactivate Users

Click Save.

SCIM To App settings in Okta

Step 4: Push Groups from Okta to Descope

  1. Go to the Push Groups tab in your Okta app.
  2. Select groups to push to Descope.
  3. These groups will be interpreted as Descope Roles and can be used for access control in flows and session-based policies.

For additional details on role mapping, see the SSO Group Mapping Guide.

Was this helpful?

SCIM with Azure

Learn how to set up SCIM provisioning between Microsoft Entra ID (Azure) and Descope to automate user and group management.

SCIM Best Practices

Best practices for onboarding users with SCIM — group-based app assignment, provisioning vs. role mapping, and audit-log verification.

On this page

SCIM Provisioning with OktaPrerequisitesStep 1: Enable SCIM Provisioning in OktaStep 2: Configure the SCIM IntegrationStep 3: Enable Provisioning ActionsStep 4: Push Groups from Okta to Descope