Okta SSO & SCIM Provisioning
In this guide, you're going to learn how to connect your Okta organization with Better Stack, steps on enabling single sign-on (SSO) for you and your colleagues, and a short walkthrough on how to turn on the automatic user provisioning and profile syncing via SCIM.
SSO set-up walkthrough
Start the SSO & SCIM set-up by going to your teams. Note that only organization admins have access to these settings.
On the page with the list of your teams, select Configure Single Sign-On.
Select *Okta SSO from the list of SSO providers.
Take note of the value in the Integration identifier field, we're going to need this in a second.
We're going to switch to the Okta dashboard now.
Sign in to your Okta organization.
Select Applications from the left menu.
Click on Browse App Catalog and look for Better Stack.
Click on Add integration, and input the Integration identifier that you copied before.
Make sure to assign your user account to the Better Stack application now - you won't be able to finish the setup otherwise.
After connecting the Better Stack application and assigning your user, switch to the Sign On panel.
Scroll down to SAML Signing Certificates, open the dropdown for the SHA-2 certificate, and open View IdP Metadata.
Copy the link to the metadata to the field you see back in the Better Stack settings. Alternatively, you can also input the Identity Provider Single Sign-On URL and X.509 Certificate manually.
Click on Connect - you will be redirected to the Okta Sign on page. Sign in with the account you assigned to the Better Stack application, please.
Tada! Your Single Sign On is now configured.
We support user provisioning from your Okta account using SCIM.
- Create users
- Update user attributes
- Deactivate users
- Sync password
- Group push
User Provisioning using SCIM requires a working Single Sign-On setup with Okta.
SCIM Configuration Steps
Setting up SCIM after you finished the SSO walkthrough should be very straightforward. Here are the instruction steps:
In the Better Stack Okta SSO settings, click on the Enable provisioning toggle.
Copy the Bearer token value that appears on the page.
Switch to the Okta dashboard, open the Better Stack application, and switch to the Provisioning tab.
Select Email as the Application username format.
Paste the copied Bearer token to the respective field in the Provisioning tab.
Click on Save.
SCIM user provisioning is turned on, and the setup is now complete. When you want to send your users to Better Stack, simply assign them to the Better Stack application in your Okta organization, and they will sync automatically.
We also support pushing your user groups from Okta - each group will create a new team in Better Stack, along with the assigned Okta users. Note that when you deprovision a Okta Group from the Better Stack Okta application, we delete the Better Stack team as well as any resources. It's important to tread carefully, to make sure you don't lose any configuration or data.
When you inactivate or remove a user from the SCIM integration in Okta, we automatically remove them from your Better Stack organization. Note that if the user already belongs to a different organization, their account is not deleted completely - they are only detached from your organization and all the relevant teams. When you re-connect the user via SCIM, they are simply re-added again.