Okta SCIM Provisioning

Set up Okta's SCIM Integration for Member and Team Provisioning

This feature is only available if your organization is on a Business or Enterprise plan.

  • Create users
  • Deactivate users
  • Push groups
  • Import groups
  • Configure organization-level roles
  • Update user attributes (organization-level roles only)

Okta SCIM provisioning requires:

  • A subscription to Sentry Business Plan or higher.
  • Configuration of SAML SSO for Okta as documented here, or use the Okta sign-on tab in your Sentry Okta application to configure SAML.
  • Selection of Email for the Application username format in the Sign On application tab in Okta.
    Okta username configuration

  1. Sign in to sentry.io. Select Settings > Auth
    Sentry Okta SCIM Auth Page
  2. Under General Settings select "Enable SCIM", then "Save Settings"
    Sentry Enable SCIM Instruction
    Sentry will display "SCIM Information" that contains your Auth Token and SCIM Base URL.
    SCIM Credentials Fields

  1. Sign in to your Okta organization with your administrator account. From the admin console's sidebar, select Applications > Applications, then select the existing Sentry application.

  2. Select the "Provisioning" tab, then "Configure API integration".

    Okta configure SCIM API

  3. Select "Enable API Integration", then enter the SCIM URL from the auth settings page as the Base URL field.

  4. For the API Token, copy the Auth Token value from the auth settings page.

  5. Select "Test API Credentials". You should see a "the app was verified successfully" message appear.

  6. Select "Save" to be directed to SCIM App settings.

  7. On the Provisioning page, select "To App", then "edit":

    Okta Save SCIM Settings

  8. Enable both "Create Users" and "Deactivate Users", then click the "Save" button.

    Okta Create and Deactivate Users

Once these changes have been made, newly assigned users will be sent an invitation email. If a user gets un-assigned, they'll be removed from their organization in Sentry.

You can use "Push Groups" to sync and assign groups in Okta; they'll be mirrored in Sentry teams.

Okta Provisioned User Unable to Leave

Here's how to assign an organization-level role to an Okta group:

  1. Add a new custom attribute to your Okta application profile

    1. Navigate to your application settings in Okta

    2. Under the "Provisioning" tab, select "Go to Profile Editor"

      Okta Provisioning Page

    3. Select "+ Add Attribute"

      Okta Add Attribute

    4. Fill out the form with the following settings (You can set whatever value you want for any setting not listed below.):

      • Data Type: string
      • Display Name: Org Role
      • Variable Name: sentryOrgRole
      • External name: sentryOrgRole
      • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
      • Attribute type: Group

      Okta Custom Attribute

  2. Assign a group to your okta application

    Okta Assign Group

  3. In the form, enter the string for the org-level role

    Okta Set Role

  • If the sentryOrgField field is left blank, group members will be provisioned with the default organization-level role. This default role can be configured in Sentry, under Settings -> Organization -> Auth. Otherwise, the role must be one of the following:
    • Admin
    • Manager
    • Billing
    • Member
  • Invalid role names will prevent group members from being provisioned. To try again, you'll need to remove the group first.
  • For security reasons, the "Owner" role cannot be provisioned through SCIM. However, you can deprovision users who have the "Owner" role in Sentry, but aren't provisioned through SCIM.
    • For self-hosted users with custom roles, this extends to any role with the org:admin permission

Users who've had their roles assigned via Okta will only be able to make membership changes via Okta.

Okta Role Restricted Role Select

Currently, Sentry only supports the ability to update user attributes for organization-level roles. You'll be able to edit the attribute for users assigned to your application once you've added the sentryOrgRole attribute to your Okta application profile.

Okta Edit Attribute

The user's role in Sentry will reflect their organization role in your Auth settings. This means that if you change a user's attribute to blank, their organization-level role will be removed from Sentry.

Make sure that Create User and Deactivate User are enabled in the "Provisioning" tab of your Sentry application in Okta (see Okta Configuration step 7).

Assigning Sentry to a group in Okta is the same as assigning Sentry to every member of that group. Functionally, this provisions every group member within Sentry, but doesn't create a team. To create a team, push the group to Sentry from the Push Groups tab of your Sentry application in Okta.

Pushing a group via Okta tells Sentry to create a new team with the same name as the Okta group. Only those users who've already been provisioned as members of that group will be added to the Sentry team. Make sure that your group in Okta contains the appropriate users and that they've already been provisioned.

If possible, isolate the user(s) that are causing the error. Then remove the user(s) from Sentry and provision them again with Okta.

When team membership is managed by an identity provider (such as Okta), it can only be updated or revoked via that identity provider.

If you use Okta to assign members to a team, you’ll be unable to make membership changes through Sentry and will need to continue using Okta.

Make sure that Deactivate User is enabled in the "Provisioning" tab of your Sentry application in Okta. Re-provision the user, then remove them again.

Change the user's role attribute to blank.

  • The Import Users feature isn't currently supported because Sentry's SCIM API doesn't support the user name attribute fields: firstName and lastName at this time. For compatibility purposes, they're returned as N/A values.
  • If the active field is set to false for any given user, their organization member record gets deleted.
  • The only filter operation supported for resources is eq.
  • When provisioning a new team, Sentry will both normalize and convert the team displayName uppercase to lowercase, and convert spaces to dashes.
  • The GET /Groups endpoint cannot return more than 10000 members in a group, see SCIM API documentation for more information.
Help improve this content
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").