Set up SAML with SCIM for Okta

Last updated:

With SCIM, we provide the ability to auto-provision and manage Pendo users in Okta. SCIM is available for Premium customers or as an add-on. Contact your Pendo representative for more information.

This article describes how to set up SAML and then how to set up SCIM so that you can create, remove, and update users in Pendo, and push groups into Pendo for configuring permissions.

SCIM features

After you've set up SAML with SCIM for Okta, you can perform the following actions:

  • Create users. Assign Okta users to Pendo so that they're added as users in Pendo.
  • Update users. Automatically push updates made in Okta to Pendo to keep them in sync.
  • Remove and deactivate users. Remove and deactivate Pendo users in Okta.
  • Push groups. Assign groups of users in Okta to Pendo.

Prerequisites

  • Organization admin rights for your company’s Pendo account.
  • Administrator rights in your company’s Okta account.
  • A new or existing SAML configuration in Okta.
  • A SAML and SCIM-enabled Pendo subscription. For information, contact your Pendo representative.
  • SAML enforced in your Pendo subscription. Contact Pendo Support to configure SAML for your subscription. For more information, see SAML Single Sign-On (SSO) overview.

Step 1: Prepare a new SAML app

The process for setting up the new SAML app with SCIM differs from Pendo's current SAML SSO integration. 

SAML SSO is a prerequisite to enabling SCIM. SSO with SAML is required for your users to authenticate through Okta. Once this is set up, SAML SSO with SCIM allows you to create, provision, and deprovision users through Okta, without signing in to Pendo.

You must set up your Pendo application in Okta even if you already have an Okta configuration. You can replace your existing Okta configuration by creating a new application to enable SCIM for your account.

Create a SAML app integration

First, create a new Pendo SAML app integration in Okta. For more information, see Okta’s How to Configure SAML 2.0 for Pendo.

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. In the Sign On tab, set the Default Relay State to the value corresponding with your region. Select the appropriate URL for your subscription’s data center.

    • US: https://pingone.com/1.0/c1dc3d4d-f04b-4c71-902f-af4895a57c21
    • US1: https://pingone.com/1.0/d65656ad-caef-4a4d-99d7-e998b6f0d97f 
    • EU: https://pingone.com/1.0/2e51bcef-d8c5-4e12-b145-9d94e09d7bb5 
    • JP: https://pingone.com/1.0/5d4212e1-4feb-4d30-b933-6bfda633d532

4. In the same Sign On tab, set the Application username format to Email. 

sign-on_settings.png

Share your metadata XML with Pendo

To share your metadata XML with Pendo, you can either:

  • [Preferred] Copy the URL from View SAML setup instructions on the Sign On tab in the Okta Pendo app.
  • Download the SAML IdP metadata XML file from the SAML setup instructions section of your app in Okta.

Send the metadata XML and all of your users' email domains that will use SSO to the Pendo Support team. Pendo then confirms that the SAML configuration for the new app integration is complete and shares instructions for verifying that SAML SSO is working.

Step 2: Set up SCIM for Okta

Setting up SCIM involves enabling SCIM provisioning in Pendo, and then configuring SCIM provisioning in Okta. We recommend that you first download a CSV of Users and their roles so that you have a record of user permissions before your team makes changes from Okta.

Download a CSV of users

1. In Pendo, navigate to Settings > Users.

2. Select the download icon in the top right of the Users table. This downloads a spreadsheet of user permissions, including roles.

Settings_Users_Download.png

Enable SCIM provisioning in Pendo

1. In Pendo, navigate to Settings > Organization Settings.

2. Open the SCIM tab and turn on SCIM Provisioning using the toggle in SCIM Settings.

3. Copy the Base URL and API Key that appear when you turn on SCIM provisioning.

OrgSettings_SCIMSettings.png

Configure SCIM provisioning in Okta

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. Under Provisioning > Integration, select Configure API Integration.

provisioning_integration.png

4. Add the Base URL that you copied from the Pendo SCIM settings to the Base URL field.

5. Add the API Key that you copied from the Pendo SCIM settings to the API Token field.

6. Select Test API Credentials.

7. If the test is successful, select Save.

provisioning_integration_api.png

8. Open the To App tab and then select Edit.

9. Enable the SCIM functionality for Okta with Pendo (creating, updating, and deactivating) that you want to support. We recommend selecting all options.

10. Select Save to continue.

provisioning_toApp.png

Push your first Okta group to Pendo

If you’ve just saved your SCIM setup and you’re still in the Provisioning tab of the Pendo app integration page in Okta, skip to number 3 in the following instructions.

1. Sign in to your Okta account and select Admin.

2. Select the Pendo application.

3. Select the Assignments tab. 

4. From the Assign menu in the top-left, choose Assign to Groups.

SCIM_AssignToGroups.png

5. Find the group that you want to sync to Pendo and choose Assign next to its name. Include Organization Admins in this group to ensure that they retain access to the Pendo subscription. If you don't include Organization Admins in the first group, you can't complete the setup.

6. Leave all options blank and then select Save and Go Back

AssignPendoLink.png

7. Select the Push Groups tab.

8. From the Push Groups menu in the top-left, choose Find groups by name.

PendoLinkSCIMPushGroups.png

9. Find the group that you want to send to Pendo and select Create Group.

10. Select Save to initiate a group push. When complete, the Push Status changes from Pushing to Active.

11. Confirm that the group has been sent to Pendo. In Pendo, navigate to Settings > Organization Settings> SCIM > IdP Groups to verify that your group is there.

If you don't see users in your group, you might need to provision unprovisioned users. For more information, see Provision unprovisioned users in the Okta Help Center.

OrgSettings_IdPGroups.png

Note: At this time, you can't see the individual users for a group in the Pendo app.

It's possible that you see some custom user roles appear incorrectly in the UI after turning on SCIM. This is typically only the case for users that haven't signed back into your application. This is a UI-only issue that's resolved when the user signs back in.

 

 

Was this article helpful?
0 out of 0 found this helpful