Okta SCIM Provisioning

SCIM is currently a work in progress feature and in Closed Beta.

For any questions or support, feel free to reach out to us through Slack.

This guide outlines the process for setting up SCIM (System for Cross-domain Identity Management) integration between Statsig and Okta. This integration allows for automated user provisioning and management.

Prerequisites

An Okta account with admin access
A SCIM Key from Statsig. Contact us to request for a new SCIM key.

Step 1: Create a New App Integration in Okta

Log in to your Okta admin console
Navigate to Applications > Applications > Create App Integration
Select "SWA - Secure Web Authentication"

Step 2: Configure App Settings

Set the App name to "Statsig SCIM"
Enter a placeholder URL for the App Login Page (this is a required field but not used for SCIM)

Step 3: Enable SCIM Provisioning

After creating the integration, go to the "General" tab
Click on "Edit" in the "Provisioning" section
Enable "SCIM Provisioning"

Step 4: Configure SCIM Settings

Navigate to the "Provisioning" tab
Set the SCIM connector base URL to: https://statsigapi.net/scim
Set "Unique identifier field for users" to "userName"
Enable
- Import New Users and Profile Update
- Push New Users
- Push Profile Updates
- Push Groups
Set the authentication mode to "HTTP Header"
For the authorization header, use the SCIM Bearer token provided to you by statsig

Step 5: Configure Okta to Statsig Settings

Enable "Create Users"
Enable "Update User Attributes"
Enable "Deactivate Users"

Step 6: Import Existing Statsig Users and Groups

In Okta, go to the Statsig app's "Import" tab
Click "Import Now" to fetch existing Statsig users and groups
Process the imported users as needed

Step 7: Manage User Assignments

Use the "Assignments" tab in Okta to add or remove users from Statsig
Adding a user assignment in Okta will create the user in Statsig, while removing the assignment will deactivate the user's Statsig account

Step 8: Push Groups to Statsig

In Okta, go to the Statsig Integration's "Push Groups" tab
Click the settings button and disable "Rename Groups"
Click "Push Groups" and select the method for finding groups in Okta.
Type in and select the Okta group that will push to a Statsig Project x Role Group.
Change "Match Result & Push Action" to "Link Group"
Select the Statsig Project x Role Group that the Okta group will push to. We display the Statsig Project x Role Group with the format Statsig-<Project Name>-<Role Name> on Okta.
Then link the Okta group to a Statsig Project x Role Group. On save the group should push to Statsig. All future group changes on Okta will be pushed to Statsig.

Important Notes

User email management is not enabled on SCIM yet.
The Org Owner cannot be removed via SCIM, it will throw an error. This is prevent accidents on the Okta side.
When a user is removed from Statsig, they will be automatically unassigned in Okta. Conversely, if a user is unassigned or deactivated in Okta, they will be removed from the Statsig Organization.

Troubleshooting

Ensure the SCIM Bearer token is correctly entered and has not expired
Check Okta's System Log for any synchronization errors
Verify that user attributes are correctly mapped between Okta and Statsig

For further assistance, please contact Statsig support.

Prerequisites​

Step 1: Create a New App Integration in Okta​

Step 2: Configure App Settings​

Step 3: Enable SCIM Provisioning​

Step 4: Configure SCIM Settings​

Step 5: Configure Okta to Statsig Settings​

Step 6: Import Existing Statsig Users and Groups​

Step 7: Manage User Assignments​

Step 8: Push Groups to Statsig​

Important Notes​

Troubleshooting​