Submit a ticket
Welcome
Login
  1. Oneflow Help Center
  2. Solution home
  3. Integrations
  4. Public API

Configure SCIM for Okta

Dineth Kurukularatchi
Modified on: Fri, 18 Jul, 2025 at 12:31 PM

Set Up SCIM Provisioning for Oneflow in Okta

Step 1: Open the Okta Admin Console

  1. Log in at https://admin.okta.com.
  2. In the left navigation panel, navigate to Applications > Applications.
  3. Click Create App Integration.

Step 2: Choose the Sign-In Method

  1. In the Create a new app integration window, select SWA – Secure Web Authentication.
  2. Click Next.

Step 3: Configure SWA Integration

  1. Enter a name in the App name field.
  2. Enter https://app.oneflow.com/login as the App login URL (required).
  3. Optionally, upload a logo for easier identification.
  4. Adjust User Sign-In Options as needed.
  5. Click Finish.
Note:
The login page URL is required by Okta to complete the app integration but does not enable direct login to Oneflow. Oneflow does not support authentication through Okta, and the user's passwords are never passed to the Oneflow API. This setup is used only for user provisioning via the SCIM API (i.e. to create users). 

Step 4: Confirm the Application is Created

  1. Return to Applications > Applications.
  2. Under the Active tab, locate the new app.
  3. Click the app name to open its settings.

Step 5: Enable SCIM Provisioning

  1. In the General tab of the application, scroll to the Provisioning section.
  2. Select SCIM as the provisioning method.
  3. Click Save.

Step 6: Configure SCIM Settings

  • Go to the Provisioning settings page of the created app
  • Under the Integration settings, configure the settings as shown in the figure below
  • Obtain a SCIM token from the Oneflow application
  • Provide the token in the Authorization field
  1. Under Integration, enter the SCIM base URL and paste the SCIM token obtained from Oneflow.
  2. In Oneflow, navigate to the Marketplace, select SCIM, click Enable, then copy and save the API token that appears securely.
  3. In Okta, open the app's Provisioning settings.
  4. Save the changes.

After saving, the To App section appears in the Provisioning tab. This is where you define how user attributes are provisioned.

Step 7: Enable Provisioning Actions

  • Under Provisioning > To App settings, enable the following options:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  • Click Save to apply the changes

Note:

Currently, Okta supports the following user provisioning capabilities: creating users, updating user attributes, deactivating users, and syncing passwords to integrated applications. However, Oneflow only supports creating users, updating user attributes, and deactivating users via SCIM API. Additionally, group provisioning is not supported by Okta with this app integration.

Step 8: Map Attributes

  • Map the user attributes exactly as shown in the figure below
  • Remove any unnecessary attributes by clicking the 'X' button next to each unwanted attribute.
  • Ensure that the Primary Phone type is set to "work" for all users during the attribute mapping process

  • If you are unable to edit an attribute directly from the Provisioning screen:
    • Click Go to Profile Editor.
    • Locate and click the edit button on the relevant attribute.
    • Make the necessary changes, such as marking the attribute as not required (deselect the 'Yes' option).

Note:

For more information about user attributes in the Oneflow SCIM API, please refer to the https://developer.oneflow.com/reference/api-overview-1 document.

Step 9: Assign Users to the App Integration

Once the SCIM provisioning is configured, you can assign users and groups to the created app integration using one of the following methods.

  • Option 1: Manual assignment
  • Option 2: Group assignment
  • Option 3: Assign the "everyone group"
Note:

Oneflow supports only one-way provisioning, from Okta to Oneflow.

Option 1: Manual Assignment

One common approach is to manually assign users. There are two ways to do this:

  • From the App View
  • From the People Directory

From the App View

  1. Navigate to the created app in Okta.
  2. Click Assignments > Assign > Assign to People

  3. Select the users you wish to provision.

From the People Directory:

  1. Go to Directory > People.
  2. Select the desired user.
  3. Under the Applications section, click Assign Applications.

  4. Choose the app you created and assign it.

Option 2: Group Assignment

You can also assign a group to the created app integration. There are a few ways to do this:

From the App View

  1. Navigate to the created app in Okta.
  2. Click Assignments > Assign > Assign to Groups.

  3. Select the group you wish to assign.

Once assigned to app integration, the user will be automatically provisioned to Oneflow via SCIM API.

From the Groups Directory:

  1. Navigate to Directory > Groups.
  2. Select an existing group or create a new one.

  3. Under the Applications tab, assign the app integration to the group.

Information:

Once the app is assigned to the group, any user added to that group, either manually or via dynamic group rules, will be automatically assigned to the app and provisioned in Oneflow via SCIM API.

  • All users in that group will be automatically provisioned to Oneflow.
  • Group membership can be managed manually or dynamically.

Option 3: Assign the “Everyone” Group

Okta provides a built-in “Everyone” group that includes all users in your organization. You can assign this group to your app integration to ensure that every user is automatically provisioned to Oneflow via SCIM.

There are two main ways to assign the “Everyone” group:

  • From the App View
  • From the Groups Directory 

From the App View:

  1. Navigate to the created app in Okta.
  2. Click Assignments > Assign > Assign to Groups.
  3. Search for and select the “Everyone” group.

  4. Confirm the assignment.

From the Groups Directory:

  1. Navigate to Directory > Groups.
  2. Select Everyone.
  3. Under the Applications tab, assign the app integration
Information:

Once this is configured, any new user created in Okta will be automatically assigned to the app integration and subsequently provisioned to Oneflow using the SCIM API, no manual steps required.

Step 10: Manage Updates and Deactivations

  • Changes to mapped user attributes in Okta will automatically update in Oneflow.
  • Deactivating a user in Okta will deactivate the corresponding user in Oneflow.

Step 11: Troubleshoot Provisioning

  1. Navigate to Dashboard > Tasks in the Okta Admin Console.
  2. Review failed provisioning tasks.
  3. Manually retry any failed tasks from this view.

This completes the SCIM provisioning setup between Okta and Oneflow.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles