Okta SCIM Provisioning

Supported Features

  • Create users
  • Deactivate users
  • Push groups
  • Import groups

Requirements

Okta SCIM provisioning requires:

  • A subscription to Sentry Business Plan or higher.
  • Configuration of SAML SSO for Okta as documented here, or use the Okta sign-on tab in your Sentry Okta application to configure SAML.
  • Selection of Email for the Application username format in the Sign On application tab in Okta. Okta username configuration

Sentry Configuration

  1. Sign in to sentry.io. Select Settings > Auth Sentry Okta SCIM Auth Page
  2. Under General Settings select "Enable SCIM", then "Save Settings" Sentry Enable SCIM Instruction Sentry will display "SCIM Information" that contains your Auth Token and SCIM Base URL. SCIM Credentials Fields

Okta Configuration

  1. Sign in to your Okta organization with your administrator account. From the admin console's sidebar, select Applications > Applications, then select the existing Sentry application.

  2. Select the "Provisioning" tab, then "Configure API integration". Okta configure SCIM API

  3. Select "Enable API Integration", enter the SCIM URL from the auth settings page as the Base URL field. For the API Token, copy the Auth Token value from the auth settings page.

  4. Select "Test API Credentials", and confirm the message "the app was verified successfully" displays.

  5. Select "Save" to be directed to SCIM App settings.

  6. On the Provisioning page, select "To App", then "edit": Okta Save SCIM Settings

  7. Enable both "Create Users" and "Deactivate Users", then "Save" your changes.

As a result of these changes, users who are assigned will be sent an invitation email. When a user is un-assigned, their membership object in Sentry will be deleted.

You can use "Push Groups" to sync and assign groups in Okta; they will be reflected in Sentry teams.

Known Issues / Troubleshooting

  • Sentry does not currently support setting any User attributes other than userName and active.
  • The Import Users feature is not currently supported. Sentry's SCIM API does not at this time support the User name attribute fields firstName and lastName. Instead, we return these with values of N/A for compatibility purposes.
  • Setting active to false on a User will delete the organization member record associated with the user.
  • The only filter operation supported for resources is eq.
  • When provisioning a new team, Sentry will both normalize and convert the team displayName uppercase to lowercase, and convert spaces to dashes.
  • The GET /Groups endpoint will return a maximum of 10000 members in a group, see SCIM API documentation for more information.
Help improve this content
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) to suggesting an update ("yeah, this would be better").