Note: Please read our SCIM 2.0 article to understand the feature capabilities and configurations necessary on your Stack Overflow Business site before proceeding.

Creating a SCIM 2.0 application in Okta

  • Navigate to the Okta Administration panel > Applications > Add Application

  • Search for SCIM apps that support SCIM 2.0 and OAuth bearer tokens (such as SCIM 2.0 Test App (OAuth Bearer Token)) and choose to add that application. This will take you to an application creation wizard

    • Settings Set the Application label with a descriptive name (such as SCIM 2.0 - Stack Overflow Business). Other settings may be left at their defaults or changed depending upon your requirements. Click Next.

    • Sign-on Options Assure Application username format matches the User Identifier Assertion provided in Authentication Settings on your site, which can be found at /c/{your_site}/admin/access/authentication. This is how Stack Overflow Business properly identifies users. Click Done, and continue on to the next section.

Assign users to the SCIM 2.0 application

  • The SCIM 2.0 application should be open in Okta. Click the Assignments tab, and add users as appropriate for your organization. This may be by individual, by groups, or a combination of the two approaches. Continue on to the next section to finish the integration and enable deactivation/reactivation.

Setting up user deactivation and reactivation

  • In Stack Overflow Business, enable SCIM and generate an a SCIM authorization token for your application at /c/{your_site}/admin/access/scim. Please note that this token will only be visible when you generate it. If it is lost, you will need to generate a new one and reconfigure your Okta application.

  • Navigate to your SCIM 2.0 application in Okta. Click the Provisioning tab, then click Configure API Integration

  • Check Enable API Integration and set the following parameters


  • On the Provisioning tab, click the newly available To App setting panel


    • Next to Provisioning to App, click Edit.

    • Click the checkbox to Enable both Update User Attributes and Deactivate Users

    • Click Save

Now, when users are deactivated or reactivated in Okta and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Stack Overflow Business as well. You may stop here, or proceed on to also manage Admin permissions in Okta as well.

Optional Setting up Admin promotion and demotion

SCIM 2.0 may also be used to promote a Registered user to an Admin user, or to demote an Admin user to a Registered user.

First, ensure that “Allow SCIM to manage user roles” is set to checked in /c/{your_site}/admin/access/scim. This is required for promotion and demotion to work.

User promotion is determined by the userType field in the SCIM 2.0 payload. This key takes the value of either Registered or Admin. If the value is Admin,  the user is promoted to an Admin. The userType must be set to Registered in order to demote an Admin.

The userType field can be set in multiple ways. There are two common ways you may want to investigate:

  • On the user profile Under Directory > Users, you can edit a user and set the userType field under the Profile tab. This must be done for every Admin individually.

  • By application mapping Under Directory > Profile Editor, field mappings may be controlled for each application. Click Mappings for the SCIM 2.0 application, then select the Okta to SCIM 2.0 application labeltab. The userType field may be modified to any value or valid Okta expression. For example, you could grant all users in the group Stack Overflow Business Admins with the Okta expression.

  •   isMemberOfGroupName("Stack Overflow Business Admins") ? "Admin" : "Registered"

Notes

  • When using groups, please note that group membership changes are not always considered a user event. That is, if a user is added to or removed from a group in Okta, the user might not be considered changed and no SCIM 2.0 request will be sent. After changing group permissions, please have the SCIM 2.0 application in Okta force sync. This is a limitation of Okta.

  • Enabling SCIM 2.0 user management in Stack Overflow Business does not disable user management within Stack Overflow Business. That is, a user may be active in Okta and assigned to the Stack Overflow Business SCIM 2.0 app, and they may still be manually disabled within Stack Overflow Business. We recommend standardizing on a single workflow within your organization so that expectations are shared.