Set up SAML with SCIM for Okta

Last updated:

With SCIM, we provide the ability to auto-provision and manage Pendo users in Okta. SCIM is available for Premium customers or as an add-on. Contact your Pendo representative for more information.

This article describes how to set up SAML and then how to set up SCIM so that you can create, remove, and update users in Pendo, and push groups into Pendo for configuring permissions.

SCIM features

Once you've set up SAML with SCIM for Okta, you can perform the following actions:

  • Create users. Assign Okta users to Pendo so that they're added as users in Pendo.
  • Update users. Automatically push updates made in Okta to Pendo to keep them in sync.
  • Remove and deactivate users. Remove and deactivate Pendo users in Okta.
  • Push groups. Assign groups of users in Okta to Pendo.

Prerequisites

  • A SAML and SCIM-enabled Pendo subscription. For information, contact Pendo Support.
  • A new or existing SAML configuration in Okta that supports SCIM.
  • Organization admin rights for your company’s Pendo account.
  • Administrator rights in your company’s Okta account.

Step 1: Prepare a new SAML app

The process for setting up the new SAML app with SCIM differs from Pendo's current SAML SSO integration. 

SAML SSO is a prerequisite to enabling SCIM. SSO with SAML is required for your users to authenticate through Okta. Once this is set up, SAML SSO with SCIM allows you to create, provision, and deprovision users through Okta, without signing in to Pendo.

You must set up your Pendo application in Okta even if you already have an Okta configuration. You can replace your existing Okta configuration by creating a new application to enable SCIM for your account.

Create a SAML app integration

First, create a new Pendo SAML app integration in Okta. For more information, see Okta’s How to Configure SAML 2.0 for Pendo.

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. In the Sign On tab, set the Default Relay State to the value corresponding with your region. Select the appropriate URL for your subscription’s data center.

    • US: https://pingone.com/1.0/c1dc3d4d-f04b-4c71-902f-af4895a57c21
    • US1: https://pingone.com/1.0/d65656ad-caef-4a4d-99d7-e998b6f0d97f 
    • EU: https://pingone.com/1.0/2e51bcef-d8c5-4e12-b145-9d94e09d7bb5 
    • JP: https://pingone.com/1.0/5d4212e1-4feb-4d30-b933-6bfda633d532

4. In the same Sign On tab, set the Application username format to Email. 

sign-on_settings.png

Share your metadata XML with Pendo

To share your metadata XML with Pendo, you can either:

  • [Preferred] Copy the URL from View SAML setup instructions on the Sign On tab in the Okta Pendo app.
  • Download the SAML IdP metadata XML file from the SAML setup instructions section of your app in Okta.

Send the metadata XML and all of your users' email domains that will use SSO to the Pendo Support team. Pendo then confirms that the SAML configuration for the new app integration is complete and shares instructions for verifying that SAML SSO is working.

Step 2: Set up SCIM for Okta

Setting up SCIM involves enabling SCIM provisioning in Pendo, and then configuring SCIM provisioning in Okta. We recommend that you first download a CSV of Users and their roles so that you have a record of user permissions before your team makes changes from Okta.

Download a CSV of users

1. In Pendo, navigate to Settings > Users.

2. Select the download icon in the top right of the Users table. This downloads a spreadsheet of user permissions, including roles.

Settings_Users_Download.png

Enable SCIM provisioning in Pendo

1. In Pendo, navigate to Settings > Organization Settings.

2. Open the SCIM tab and turn on SCIM Provisioning using the toggle in SCIM Settings.

3. Copy the Base URL and API Key that appear when you turn on SCIM provisioning.

OrgSettings_SCIMSettings.png

Configure SCIM provisioning in Okta

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. Under Provisioning > Integration, select Configure API Integration.

provisioning_integration.png

4. Add the Base URL that you copied from the Pendo SCIM settings to the Base URL field.

5. Add the API Key that you copied from the Pendo SCIM settings to the API Token field.

6. Select Test API Credentials.

7. If the test is successful, select Save.

provisioning_integration_api.png

8. Open the To App tab and then select Edit.

9. Enable the SCIM functionality for Okta with Pendo (creating, updating, and deactivating) that you want to support. We recommend selecting all options.

10. Select Save to continue.

provisioning_toApp.png

Push your first Okta group to Pendo

If you’ve just saved your SCIM setup and you’re still in the Provisioning tab of the Pendo app integration page in Okta, skip to number 3 in the following instructions.

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. Select the Assignments tab. 

4. From the Assign menu in the top-left, choose Assign to Groups.

SCIM_AssignToGroups.png

5. Find the group that you want to sync to Pendo and choose Assign next to its name.

6. Leave all options blank and then select Save and Go Back

AssignPendoLink.png

7. Select the Push Groups tab.

8. From the Push Groups menu in the top-left, choose Find groups by name.

PendoLinkSCIMPushGroups.png

9. Find the group that you want to send to Pendo and select Create Group.

10. Select Save to initiate a group push. When complete, the Push Status changes from Pushing to Active.

11. Confirm that the group has been sent to Pendo. In Pendo, navigate to Settings > Organization Settings> SCIM > IdP Groups to verify that your group is there.

If you don't see users in your group, you might need to provision unprovisioned users. For more information, see Provision unprovisioned users in the Okta Help Center.

OrgSettings_IdPGroups.png

Note: At this time, you can't see the individual users for a group in the Pendo app.

It's possible that you see some custom user roles appear incorrectly in the UI after turning on SCIM. This is typically only the case for users that haven't signed back into your application. This is a UI-only issue that's resolved when the user signs back in.

Configure subscription-level access

Users can’t access a Pendo subscription until SCIM is enabled for the subscription and a role is assigned to their IdP group.  

Enabling SCIM at the subscription level is optional. Some subscriptions can use SCIM provisioning while others continue to use manual access control. 

Enabling SCIM for a subscription disables manual user controls, including invite, delete, and edit roles and permissions. All access is controlled in the IdP’s settings or subscription access in Pendo SCIM settings.

Enable SCIM at the subscription level

When you enable SCIM at the subscription level, all users in your IdP groups are granted access to the subscription according to the permissions you assign to members of your IdP groups. Any users who were added to Pendo manually and aren’t in your IdP groups immediately lose access to the Pendo subscription. 

In Pendo, navigate to Settings > Organization Settings> SCIM > Subscription Access, and then:

  1. Find your subscription and select Enable SCIM next to it.
  2. Select Next: Assign Permissions to choose which groups you want to grant subscription access to.
  3. Select a group and assign permissions. These are your IdP groups. Repeat until you’ve assigned permissions to each group.
  4. Select Enable SCIM to complete the SCIM setup.
  5. To confirm this selection, type “I understand” into the window that appears and then select Enable SCIM.

For more information about roles and permissions in a Pendo subscription in our Roles and Permissions Overview. Assigning permissions included access to Pendo Feedback if your subscription has Feedback enabled.

Note: Users aren’t granted access until the entire workflow listed above is complete.

Manage SCIM at the subscription level

After SCIM is enabled for a subscription, you can edit your groups and permissions:

  • Change permissions associated with groups.
  • Configure permissions for additional groups.
  • Remove permissions for one or more groups.

In Pendo, navigate to Settings > Organization Settings> SCIM > Subscription Access, and then select Manage Access next to the subscription. This relaunches the subscription access workflow, where you can make changes to groups and permissions.

Regenerate an API key

You might want to regenerate your API key if you periodically cycle through API keys as a security precaution, or get a new IdP and need to build a new integration.

You can deactivate your current API key and create a new key using the Regenerate API Key link under your API key in Pendo, which you can find by navigating to Organization Settings > SCIM. In the confirmation window that appears, select Yes, Regenerate Key.

RegenAPIkey.png

Regenerating the API key breaks the integration with your IdP until a new key is configured in the IdP and the connection is re-established. Users still have access to Pendo based on the last push from your IdP. 

Manual control remains unavailable and you can’t add or remove users until the connection with your IdP is re-established or SCIM is disabled.

Disable SCIM at the subscription level

Disabling SCIM for a subscription removes access for every IdP group in Settings > Organization Settings> SCIM > Subscription Access. This restores manual control of user access and permissions in Settings > Users for that subscription.

Manual control of users in a subscription is managed by a subscription admin. Users who currently have access keep their access, and subscription admins can modify individual user access as needed.

To disable SCIM at the subscription level:

  1. In Pendo, navigate to Settings > Organization Settings> SCIM > Subscription Access, and then select Manage Access next to the subscription. This relaunches the subscription access workflow.
  2. Select Disable SCIM for […]. This launches a confirmation window.
  3. Select Disable SCIM in the confirmation window.

SCIM provisioning is now removed from the subscription and manual control is restored. You can re-enable SCIM by following the instructions under Enable SCIM at the subscription level.

Delete SCIM configuration for the organization

In Pendo, navigate to Settings > Organization Settings> SCIM > SCIM Settings, and turn off SCIM Provisioning using the toggle. This:

  • Deletes the entire SCIM configuration.
  • Disables the API key.
  • Disables the integration with your IdP.
  • Disables SCIM for all subscriptions.
  • Reactivates manual user controls.

Any users who can currently access the subscription retains their access unless they’re manually deleted.

This can't be undone. Reactivating SCIM after deleting the organization configuration is a fresh start. The integration with your IdP must be set up again with a new API key, all subscriptions must be enabled, and any user groups must be connected to the appropriate roles and permissions.

Reactivate SCIM for the organization

Reactivating SCIM for the organization after deleting your organization configuration involves starting from the beginning. You must:

  • Set up the integration with your IdP, including a new API key.
  • Enable all subscriptions.
  • Assign the appropriate roles and permissions to user groups.

For more information, see Step 2 in this article.

 

Was this article helpful?
0 out of 0 found this helpful