Explore documentation
Okta SSO & SCIM Provisioning
In this guide, you're going to learn how to connect your Okta organization with Better Stack, steps on enabling single sign-on (SSO) for you and your colleagues, and a short walkthrough on how to turn on the automatic user provisioning and profile syncing via SCIM.
SSO set-up walkthrough
Log in to your Better Stack administrator account.
In the bottom left, click Account settings β Settings.
In the Okta SSO section, click Connect.
Copy the Integration ID field, we're going to need it in a second.
We're going to switch to the Okta dashboard now.
Sign in to your Okta organization.
Select Applications from the left menu.
Click on Browse App Catalog and look for Better Stack.
Click on Add integration, and input the Integration ID that you copied before.
Make sure to assign your user account to the Better Stack application now - you won't be able to finish the setup otherwise.
After connecting the Better Stack application and assigning your user, switch to the Sign On panel.
Scroll down to SAML Signing Certificates, open the dropdown for the SHA-2 certificate, and open View IdP Metadata.
Copy the link to the metadata to the field you see back in the Better Stack settings. Alternatively, you can also input the Identity Provider Single Sign-On URL and X.509 Certificate manually.
Click on Connect - you will be redirected to the Okta Sign on page. Sign in with the account you assigned to the Better Stack application, please.
Your Single Sign On is now configured! π
Optional: For Just-In-Time Provisioning (JIT)
- Go to your Better Stack β Settings β Teams page.
- Click the 3 dots on the desired team, then click Configure.
- Add your e-mail domain to Pre-approved domains.
- Click Save changes.
Optional: SP-initiated SSO
The Okta Single Sign-On sign in URL is available in Better Stack β Settings β Single Sign-On under Sign in URL.
The URL can also be constructed as follows:
https://betterstack.com/users/sign-in/sso/okta/[integrationId]
User provisioning
We support user provisioning from your Okta account using SCIM.
Supported features
- Create users
- Update user attributes
- Deactivate users
- Sync password
- Group push
Requirements
User Provisioning using SCIM requires a working Single Sign-On setup with Okta.
SCIM configuration steps
Setting up SCIM after you finished the SSO walkthrough should be very straightforward. Here are the instruction steps:
In the Better Stack Okta SSO settings, click on the Enable provisioning toggle.
Copy the Bearer token value that appears on the page.
Switch to the Okta dashboard, open the Better Stack application, and switch to the Provisioning tab.
Select Email as the Application username format.
Paste the copied Bearer token to the respective field in the Provisioning tab.
Click Save.
SCIM user provisioning is turned on, and the setup is now complete. When you want to send your users to Better Stack, simply assign them to the Better Stack application in your Okta organization, and they will sync automatically.
We also support pushing your user groups from Okta - each group will create a new team in Better Stack, along with the assigned Okta users. Note that when you deprovision a Okta Group from the Better Stack Okta application, we delete the Better Stack team as well as any resources. It's important to tread carefully, to make sure you don't lose any configuration or data.
Troubleshooting
When you inactivate or remove a user from the SCIM integration in Okta, we automatically remove them from your Better Stack organization. Note that if the user already belongs to a different organization, their account is not deleted completely - they are only detached from your organization and all the relevant teams. When you re-connect the user via SCIM, they are simply re-added again.