Portkey supports provisioning Users & Groups with Okta SAML Apps.

Okta does not support SCIM Provisioning with OIDC apps; only SAML apps are supported.

To set up SCIM provisioning between Portkey and Okta, you must first create a SAML App on Okta.


Setting up SCIM Provisioning

  1. Navigate to the app settings. Under general settings, enable the SCIM provisioning checkbox.

    The Provisioning tab should be visible after enabling SCIM provisioning. Navigate to that page.

  2. Obtain the Tenant URL and Secret Token from the Portkey Admin Settings page (if SCIM is enabled for your organization).

  3. Fill in the values from the Portkey dashboard into Okta’s provisioning settings and click Test Connection. If successful, click Save.

    Ensure you choose the Authentication Mode as HTTP Header.

  4. Check all the boxes as specified in the image below for full support of SCIM provisioning operations.

  5. Once the details are saved, you will see two more options along with integration, namely To App and To Okta.

    Select To App to configure provisioning from Okta to Portkey.

    Enable the following checkboxes:

    • Create Users
    • Update User Attributes
    • Deactivate Users

    After saving the settings, the application header should resemble the following image.

This completes the SCIM provisioning settings between Okta and Portkey.

Whenever you assign a User or Group to the application, Okta automatically pushes the updates to Portkey.


Group Provisioning with Okta

Portkey supports RBAC (Role-Based Access Control) for workspaces mapped to groups in Okta. Use the following naming convention for groups:

  • Format: ws-{group}-role-{role}
    • Role: One of admin, member, or manager
  • A user should belong to only one group per {group}.

Example: For a Sales workspace:

  • ws-Sales-role-admin
  • ws-Sales-role-manager
  • ws-Sales-role-member

Users assigned to these groups will inherit the corresponding role in Portkey.

Automatic provisioning with Okta works for Users, but it does not automatically work for Groups.

To support automatic provisioning for groups, you must first push the groups to the App (Portkey). Then, Okta will automatically provision updates.

To push the groups to Portkey, navigate to the Push Groups tab. If it is not found, ensure you have followed all the steps correctly and enabled all the fields mentioned in the Provisioning steps.

  1. Click on Push Groups.

  2. Select Find group by name.

  3. Enter the name of the group, select the group from the list, and click Save or Save & Add Another to assign a new group.

You can also use Find groups by rule to push multiple groups using a filter.

If there is any discrepancy or issue with group provisioning, you can retry provisioning by clicking the Push Now option. This can be found under the Push Status column in the groups list.


Support

If you encounter any issues with group provisioning, please reach out to us here.

Was this page helpful?