Okta SCIM provisioning
The System for Cross-domain Identity Management specification (SCIM) is a standard designed to manage user identity information. When enabled in Dagster+, SCIM allows you to efficiently and easily manage users in your Identity Provider (IdP) - in this case, Okta - and sync their information to Dagster+.
In this guide, we'll walk you through configuring Okta SCIM provisioning for Dagster+.
About this feature
- Supported features
- Limitations
Supported features
With Dagster+'s Okta SCIM provisioning feature, you can:
- Create users. Users that are assigned to the Dagster+ application in the IdP will be automatically added to your Dagster+ organization.
- Update user attributes. Updating a user's name or email address in the IdP will automatically sync the change to your user list in Dagster+.
- Remove users. Deactivating or unassigning a user from the Dagster+ application in the IdP will remove them from the Dagster+ organization
- Push user groups. Groups and their members in the IdP can be pushed to Dagster+ as Teams.
Refer to Okta's SCIM documentation for more information about Okta's SCIM offering.
Limitations
Dagster+ currently supports the following attributes for SCIM syncing:
user.firstNameuser.lastNameuser.email, which must match the user's username in Oktauser.displayName
Prerequisites
To complete the steps in this guide, you'll need:
- To have set up Okta SSO for Dagster+. Refer to the Okta SSO setup guide for more info.
- Permissions in Okta that allow you to configure applications.
- The following in Dagster+:
- A Pro plan
- Organization Admin permissions in your organization
Step 1: Enable SCIM provisioning in Dagster+
- Sign in to your Dagster+ account.
- Click the user menu (your icon) > Organization Settings.
- Click the Provisioning tab.
- If SCIM provisioning isn't enabled, click the Enable SCIM provisioning button to enable it.
- Click Create SCIM token to create an API token. This token will be used to authenticate requests from Okta to Dagster+.
Keep the API token handy - you'll need it in the next step.
Step 2: Enable SCIM provisioning in Okta
-
Sign in to your Okta Admin Dashboard.
-
Using the sidebar, click Applications > Applications.
-
Click the Dagster+ app. Note: If you haven't set up SSO for Okta, follow this guide to do so before continuing.
-
Click the Sign On tab and complete the following:
-
Click Edit.
-
In the Advanced Sign-on Settings section, enter the name of your organization in the Organization field.
-
In the Credential Details section, set the Application username format field to Email:
- Click Save.
-
-
Click the Provisioning tab and complete the following:
-
Click Configure API Integration.
-
Check the Enable API integration checkbox that displays.
-
In the API Token field, paste the Dagster+ API token you generated in Step 1:
-
Click Test API Credentials to verify that your organization and API token work correctly.
-
When finished, click Save.
-
Step 3: Enable user syncing in Okta
After you confirm that your API credentials work in the Dagster+ Okta application, you can enable user syncing:
-
In the Dagster+ Okta app, click the Provisioning tab.
-
In the Settings panel, click To App.
-
Click Edit.
-
Next to Create Users, check the Enable checkbox:
Note: The default username used to create accounts must be set to Email or user provisioning may not work correctly.
-
Optionally, check Enable next to Update User Attributes and Deactivate Users to enable these features.
-
When finished, click Save.
Step 4: Enable group syncing in Okta
This step is required only if you want to sync Okta user groups to Dagster+ as Teams.
When Push groups is enabled in Okta, you can sync user groups from Okta to Dagster+ as Teams. Refer to the Okta documentation for setup instructions.
Next steps
That's it! Once Okta successfully syncs users to Dagster+, synced users will have a 'synced' icon next to them in the Dagster+ users page:
Refer to the Enabling SCIM provisioning guide for more info about how user and team management works when SCIM provisioning is enabled.