# Okta SSO & SCIM Provisioning

Connect your Okta organization with Better Stack to enable single sign-on (SSO) and automatic user provisioning via SCIM.

## SSO setup

### Supported features

-   IdP-initiated SSO
-   SP-initiated SSO
-   Just-in-Time provisioning

### Configuration steps

1.  Go to [Single Sign-On settings](https://betterstack.com/settings/sso ";_blank") and click **Connect** in the **Okta SSO** section.
2.  Copy the **Integration ID**. You will need it in a moment.

#### In Okta

1.  Sign in to your Okta organization.
2.  Go to **Applications** and click **Browse App Catalog**.
3.  Search for **Better Stack** and click **Add integration**.
4.  Enter the **Integration ID** you copied from Better Stack.
5.  Assign your user account to the Better Stack application. You won't be able to finish the setup otherwise.
6.  Go to the **Sign On** tab.
7.  Under **SAML Signing Certificates**, open the dropdown for the **SHA-2** certificate and click **View IdP Metadata**.
8.  Copy the metadata link.

#### In Better Stack

1.  Paste the metadata link into the corresponding field in your Better Stack SSO settings. Alternatively, you can enter the **Identity Provider Single Sign-On URL** and **X.509 Certificate** manually.
2.  Click **Connect**. You will be redirected to Okta to sign in.

Your Single Sign-On is now configured. 🎉

### Optional: Just-in-time provisioning (JIT)

1.  Go to [Teams](https://betterstack.com/settings/teams ";_blank").
2.  Click the three dots on the desired team and select **Configure**.
3.  Add your email domain to **Pre-approved domains**.
4.  Click **Save changes**.

### Optional: SP-initiated SSO

The Okta Single Sign-On URL is available in your [Single Sign-On settings](https://betterstack.com/settings/sso ";_blank") under **Sign in URL**.

The URL can also be constructed as follows:
`https://betterstack.com/users/sign-in/sso/okta/[integrationId]`

## User provisioning (SCIM)

Use SCIM to automatically provision users and sync profiles from Okta.

### Prerequisites

User provisioning using SCIM requires a working SSO setup with Okta.

### Supported features

-   Create users
-   Update user attributes
-   Deactivate users
-   Sync password
-   Group push

### SCIM configuration steps

1.  In your [Okta SSO settings](https://betterstack.com/settings/sso/edit ";_blank") in Better Stack, enable the **Provisioning** toggle.
2.  Copy the **Bearer token**.
3.  In your Okta dashboard, open the Better Stack application and go to the **Provisioning** tab.
4.  For **Application username format**, select **Email**.
5.  Paste the **Bearer token** into the corresponding field.
6.  Click **Save**.
7.  While still on the **Provisioning** tab, click **Edit** next to **Provisioning to App**.
8.  Enable **Create Users**, **Update User Attributes**, and **Deactivate Users**.
9.  Click **Save**.

SCIM user provisioning is now active. When you assign users to the Better Stack application in Okta, they will sync automatically.

We also support pushing user groups from Okta. Each group will create a new team in Better Stack with the assigned users.

[warning]
Deprovisioning or incorrectly syncing an Okta group will lead to the deletion of the Better Stack team and all its resources. Proceed with caution to avoid data loss.
[/warning]

### Troubleshooting

When you deactivate or remove a user from the SCIM integration in Okta, we automatically remove them from your Better Stack organization. If the user belongs to another organization, their account is not deleted completely—they are only detached from your organization and teams. Reconnecting the user via SCIM will re-add them.