Explore documentation
  1. Welcome 👋
  2. Product
    1. Tracing ↗
    2. Incident management ↗
    3. Uptime monitoring ↗
    4. Log management ↗
    5. Infrastructure monitoring ↗
    6. Status page ↗
    7. Error tracking ↗
    8. Warehouse ↗
  3. Integrations
    1. Integrating with Better Stack
    2. iOS & Android
    3. SSO providers
      1. AWS SSO
      2. Azure SSO
      3. Okta SSO
        1. Overview
        2. SAML setup instructions
        3. SCIM setup instructions
        4. Dynamic RBAC Assignments
      4. Other SSO providers
    4. Terraform
    5. MCP server
  4. Team and account management
    1. Team management
    2. Account settings
    3. Reporting
    4. Audit logs
  5. Design
    1. Brand guidelines

Okta SSO & SCIM Provisioning

Connect your Okta organization with Better Stack to enable single sign-on (SSO) and automatic user provisioning via SCIM.

SSO setup

Supported features

  • IdP-initiated SSO
  • SP-initiated SSO
  • Just-in-Time provisioning

Configuration steps

  1. Go to Single Sign-On settings and click Connect in the Okta SSO section.
  2. Copy the Integration ID. You will need it in a moment.

In Okta

  1. Sign in to your Okta organization.
  2. Go to Applications and click Browse App Catalog.
  3. Search for Better Stack and click Add integration.
  4. Enter the Integration ID you copied from Better Stack.
  5. Assign your user account to the Better Stack application. You won't be able to finish the setup otherwise.
  6. Go to the Sign On tab.
  7. Under SAML Signing Certificates, open the dropdown for the SHA-2 certificate and click View IdP Metadata.
  8. Copy the metadata link.

In Better Stack

  1. Paste the metadata link into the corresponding field in your Better Stack SSO settings. Alternatively, you can enter the Identity Provider Single Sign-On URL and X.509 Certificate manually.
  2. Click Connect. You will be redirected to Okta to sign in.

Your Single Sign-On is now configured. 🎉

Optional: Just-in-time provisioning (JIT)

  1. Go to Teams.
  2. Click the three dots on the desired team and select Configure.
  3. Add your email domain to Pre-approved domains.
  4. Click Save changes.

Optional: SP-initiated SSO

The Okta Single Sign-On URL is available in your Single Sign-On settings under Sign in URL.

The URL can also be constructed as follows: https://betterstack.com/users/sign-in/sso/okta/[integrationId]

User provisioning (SCIM)

Use SCIM to automatically provision users and sync profiles from Okta.

Prerequisites

User provisioning using SCIM requires a working SSO setup with Okta.

Supported features

  • Create users
  • Update user attributes
  • Deactivate users
  • Sync password
  • Group push

SCIM configuration steps

  1. In your Okta SSO settings in Better Stack, enable the Provisioning toggle.
  2. Copy the Bearer token.
  3. In your Okta dashboard, open the Better Stack application and go to the Provisioning tab.
  4. For Application username format, select Email.
  5. Paste the Bearer token into the corresponding field.
  6. Click Save.
  7. While still on the Provisioning tab, click Edit next to Provisioning to App.
  8. Enable Create Users, Update User Attributes, and Deactivate Users.
  9. Click Save.

SCIM user provisioning is now active. When you assign users to the Better Stack application in Okta, they will sync automatically.

We also support pushing user groups from Okta. Each group will create a new team in Better Stack with the assigned users.

Deprovisioning or incorrectly syncing an Okta group will lead to the deletion of the Better Stack team and all its resources. Proceed with caution to avoid data loss.

Troubleshooting

When you deactivate or remove a user from the SCIM integration in Okta, we automatically remove them from your Better Stack organization. If the user belongs to another organization, their account is not deleted completely—they are only detached from your organization and teams. Reconnecting the user via SCIM will re-add them.