Set up SCIM for Okta

Last updated:

With SCIM, we provide the ability to auto-provision and manage Pendo users in Okta. SCIM is available for Premium customers or as an add-on. Contact your Pendo representative for more information.

Before continuing, complete the instructions in Set up SAML for Okta. SSO with SAML is required for your users to authenticate through Okta. After this is set up, SAML SSO with SCIM allows you to create, provision, and deprovision users through Okta, without signing in to Pendo.

SCIM features

After you've set up SAML with SCIM for Okta, you can perform the following actions:

  • Create users. Assign Okta users to Pendo so that they're added as users in Pendo.
  • Update users. Automatically push updates made in Okta to Pendo to keep them in sync.
  • Remove and deactivate users. Remove and deactivate Pendo users in Okta.
  • Push groups. Assign groups of users in Okta to Pendo.

Prerequisites

  • Organization admin rights for your company’s Pendo account.
  • Administrator rights in your company’s Okta account.
  • A new or existing SAML configuration in Okta.
  • A SAML and SCIM-enabled Pendo subscription. For information, contact your Pendo representative.
  • SAML for Okta set up. For instructions, see Set up SAML for Okta.

Step 1. Download a CSV of users

We recommend that you first download a CSV of Users and their roles so that you have a record of user permissions before your team makes changes from Okta.

  1. In Pendo, go to Settings > Users.
  2. Select the download icon in the top right of the Users table. This downloads a spreadsheet of user permissions, including roles.

Settings_Users_Download.png

Step 2. Enable SCIM provisioning in Pendo

  1. In Pendo, go to Settings > Organization Settings.
  2. Open the SSO tab select SCIM Settings.
  3. Turn on SCIM Provisioning using the toggle in SCIM Settings.
  4. Copy the Base URL and API Key that appear when you turn on SCIM provisioning.

Step 3. Configure SCIM provisioning in Okta

  1. Sign in to your Okta account and select Admin.
  2. Select the Pendo application.
  3. Under Provisioning > Integration, select Configure API Integration.

    provisioning_integration.png

  4. Add the Base URL that you copied from the Pendo SCIM settings to the Base URL field.
  5. Add the API Key that you copied from the Pendo SCIM settings to the API Token field.
  6. Select Test API Credentials.
  7. If the test is successful, select Save.

    provisioning_integration_api.png

  8. Open the To App tab and then select Edit.
  9. Enable the SCIM functionality for Okta with Pendo (creating, updating, and deactivating) that you want to support. We recommend selecting all options.
  10. Select Save to continue.

    provisioning_toApp.png

Step 3. Push your first Okta group to Pendo

If you’ve just saved your SCIM setup and you’re still in the Provisioning tab of the Pendo app integration page in Okta, skip to number 3 in the following instructions.

  1. Sign in to your Okta account and select Admin.
  2. Select the Pendo application.
  3. Select the Assignments tab.
  4. From the Assign menu in the top-left, choose Assign to Groups.

    SCIM_AssignToGroups.png

  5. Find the group that you want to sync to Pendo and choose Assign next to its name. Include Organization Admins in this group to ensure that they retain access to the Pendo subscription. If you don't include Organization Admins in the first group, you can't complete the setup.
  6. Leave all options blank and then select Save and Go Back.

    AssignPendoLink.png

  7. Select the Push Groups tab.
  8. From the Push Groups menu in the top-left, choose Find groups by name.

    PendoLinkSCIMPushGroups.png

  9. Find the group that you want to send to Pendo and select Create Group.
  10. Select Save to initiate a group push. When complete, the Push Status changes from Pushing to Active.
  11. Confirm that the group has been sent to Pendo. In Pendo, go to Settings > Organization Settings > SSO > IdP Groups to verify that your group is there.

If you don't see users in your group, you might need to provision unprovisioned users. For more information, see Provision unprovisioned users in the Okta Help Center.

Note: At this time, you can't see the individual users for a group in the Pendo app.

It's possible that you see some custom user roles appear incorrectly in the UI after turning on SCIM. This is typically only the case for users that haven't signed back into your application. This is a UI-only issue that's resolved when the user signs back in.

 

 

Was this article helpful?
0 out of 0 found this helpful