Okta SCIM Provisioning
This guide outlines the process for setting up SCIM (System for Cross-domain Identity Management) integration between Statsig and Okta. This integration allows for automated user provisioning and management.
Prerequisites
- An Okta account with admin access
- A SCIM Key from Statsig. Contact us to request for a new SCIM key.
Step 1: Create a New App Integration in Okta
- Log in to your Okta admin console
- Navigate to Applications > Applications > Create App Integration
- Select "SWA - Secure Web Authentication"
Step 2: Configure App Settings
- Set the App name to "Statsig SCIM"
- Enter a placeholder URL for the App Login Page (this is a required field but not used for SCIM)
Step 3: Enable SCIM Provisioning
- After creating the integration, go to the "General" tab
- Click on "Edit" in the "Provisioning" section
- Enable "SCIM Provisioning"
Step 4: Configure SCIM Settings
- Navigate to the "Provisioning" tab
- Set the SCIM connector base URL to: https://statsigapi.net/scim
- Set "Unique identifier field for users" to "userName"
- Enable
Import New Users and Profile Update
Push New Users
Push Profile Updates
Push Groups
- Set the authentication mode to "HTTP Header"
- For the authorization header, use the SCIM Bearer token provided to you by statsig
Step 5: Configure Okta to Statsig Settings
- Enable "Create Users"
- Enable "Update User Attributes"
- Enable "Deactivate Users"
Step 6: Import Existing Statsig Users and Groups
- In Okta, go to the Statsig app's "Import" tab
- Click "Import Now" to fetch existing Statsig users and groups
- Process the imported users as needed
Step 7: Manage User Assignments
- Use the "Assignments" tab in Okta to add or remove users from Statsig
- Adding a user assignment in Okta will create the user in Statsig, while removing the assignment will deactivate the user's Statsig account
Step 8: Push Groups to Statsig
-
In Okta, go to the Statsig Integration's "Push Groups" tab
-
Click the settings button and disable "Rename Groups"
-
Click "Push Groups" and select the method for finding groups in Okta.
-
Type in and select the Okta group that will push to a Statsig Project x Role Group.
-
Change "Match Result & Push Action" to "Link Group"
-
Select the Statsig Project x Role Group that the Okta group will push to. We display the Statsig Project x Role Group with the format
Statsig-<Project Name>-<Role Name>
on Okta. -
Then link the Okta group to a Statsig Project x Role Group. On save the group should push to Statsig. All future group changes on Okta will be pushed to Statsig.
Important Notes
- User email management is not enabled on SCIM yet.
- The Org Owner cannot be removed via SCIM, it will throw an error. This is prevent accidents on the Okta side.
- When a user is removed from Statsig, they will be automatically unassigned in Okta. Conversely, if a user is unassigned or deactivated in Okta, they will be removed from the Statsig Organization.
Troubleshooting
- Ensure the SCIM Bearer token is correctly entered and has not expired
- Check Okta's System Log for any synchronization errors
- Verify that user attributes are correctly mapped between Okta and Statsig
For further assistance, please contact Statsig support.