Skip to main content

Set Up SCIM with Okta

SCIM automated user provisioning and deprovisioning with Okta

Updated today

This guide walks you through configuring SCIM 2.0 provisioning between Okta and BetaTesting. SCIM enables automatic user creation, updates, deactivation, and group synchronization from Okta to BetaTesting.

Prerequisites

Before setting up SCIM, you must have:

  • A SAML-based SSO connection already configured between Okta and BetaTesting (see Set Up SSO with Okta)

  • Administrator access to your Okta admin console

  • The following values from your BetaTesting account manager:

Important: SCIM provisioning in Okta requires a SAML app integration (not OIDC). If you originally set up an OIDC-based integration, contact your BetaTesting account manager to migrate to a SAML-based connection.

Step 1: Enable SCIM Provisioning on Your Okta App

  1. Go to your BetaTesting SAML app in the Okta admin console

  2. Go to the General tab > App Settings > Edit

  3. Under Provisioning, select SCIM

  4. Click Save

A new Provisioning tab will appear on your app.

Step 2: Configure the SCIM Connection

  1. Go to the Provisioning tab

  2. Click Edit under SCIM Connection

  3. Configure the following:

Setting

Value

SCIM connector base URL

The SCIM base URL provided by BetaTesting (e.g., https://betatesting.com/api/scim/v2)

Unique identifier field for users

userName

Supported provisioning actions

Check all that apply: Push New Users, Push Profile Updates, Push Groups

Authentication Mode

HTTP Header

Authorization

Paste the Bearer token provided by BetaTesting

  1. Click Test Connector Configuration to verify the connection

    • Okta will call BetaTesting's /ServiceProviderConfig endpoint

    • If the test succeeds, you'll see a success message

  2. Click Save

Step 3: Enable Provisioning Actions

  1. Under Provisioning > To App, click Edit

  2. Enable the following:

    • Create Users - Automatically create BetaTesting accounts when users are assigned in Okta

    • Update User Attributes - Sync profile changes from Okta to BetaTesting

    • Deactivate Users - Deactivate BetaTesting accounts when users are unassigned in Okta

  3. Click Save

Step 4: Push Groups

Groups pushed from Okta to BetaTesting are used for automatic role assignment. See SSO Role Mapping & Permissions for details on how groups map to roles.

  1. In your BetaTesting app, go to the Push Groups tab

  2. Click Push Groups > Find groups by name

  3. Search for and select the groups you want to push to BetaTesting (e.g., "Admins", "Support", "Testers")

  4. For each group, verify that Push group memberships immediately is checked

  5. Click Save

Okta will now:

  • Create each selected group in BetaTesting via the SCIM Groups endpoint

  • Sync group memberships as users are added or removed

Tell your BetaTesting account manager which groups you're pushing and what BetaTesting role each group should map to. They will configure role mappings on the BetaTesting side.

Step 5: Assign Users

  1. In your BetaTesting app, go to the Assignments tab

  2. Click Assign > Assign to People (or Assign to Groups)

  3. Select the users or groups who should have BetaTesting access

  4. Click Assign

For each assigned user, Okta will:

  • Call BetaTesting's SCIM API to create a user account

  • Add the user to any pushed groups they belong to

  • BetaTesting will automatically assign the appropriate role based on group membership

Step 6: Test SCIM Provisioning

After assigning users and pushing groups, verify with your BetaTesting account manager that:

  1. User accounts were created - Assigned users should have BetaTesting accounts

  2. Groups were synced - Pushed groups should appear in BetaTesting with correct memberships

  3. Roles are assigned correctly - Users in mapped groups should have the expected BetaTesting role

Test SSO Login

  1. Open the SSO login link provided by your BetaTesting account manager

  2. Log in with a user who was provisioned via SCIM

  3. Verify:

    • The user can log in successfully

    • The user has the correct role based on their group membership

    • The user lands on the appropriate BetaTesting page

Test Deprovisioning

  1. In Okta, unassign a test user from the BetaTesting app

  2. Wait for Okta to send the deactivation request (this happens automatically)

  3. Attempt to log in via SSO with the deprovisioned user

  4. Verify: the user sees an error message and cannot access BetaTesting

What BetaTesting Configures

During SCIM setup, the BetaTesting team:

  1. Enables SCIM on your SSO connection and generates a secure Bearer token

  2. Provides you with the SCIM base URL and token for your Okta configuration

  3. Configures role mappings that link your pushed Okta group names to BetaTesting roles (e.g., "Admins" -> Company Admin, "Support" -> Support role)

  4. Verifies provisioning by checking that users, groups, and memberships are synced correctly

Next Steps

  • Configure role mappings: Work with your BetaTesting account manager to map Okta groups to BetaTesting roles. See SSO Role Mapping & Permissions

  • Troubleshooting: If you encounter issues, see SSO/SCIM FAQ & Troubleshooting

Related Articles
Single Sign-On (SSO) Overview
Set Up SAML SSO with Okta
SCIM Provisioning Overview
SSO Role Mapping & Permissions
SSO/SCIM FAQ & Troubleshooting
Did this answer your question?