Okta SCIM Provisioning
This feature is only available if your organization is on a Business or Enterprise plan. This feature is not available on Trial plans.
If you change your organization slug, you'll need to make the same update in the steps where you enter the SCIM configuration values.
Supported Features
- Create users
- Deactivate users
- Push groups
- Import groups
Requirements
Okta SCIM provisioning requires:
- A subscription to Sentry Business Plan or higher.
- Configuration of SAML SSO for Okta as documented here, or use the Okta sign-on tab in your Sentry Okta application to configure SAML.
- Selection of Email for the Application username format in the Sign On application tab in Okta.
Sentry Configuration
- Sign in to sentry.io. Select Settings > Auth
- Under General Settings select "Enable SCIM", then "Save Settings"
Sentry will display "SCIM Information" that contains your Auth Token and SCIM Base URL.
Okta Configuration
Sign in to your Okta organization with your administrator account. From the admin console's sidebar, select Applications > Applications, then select the existing Sentry application.
Select the "Provisioning" tab, then "Configure API integration".
Select "Enable API Integration", enter the SCIM URL from the auth settings page as the Base URL field. For the API Token, copy the Auth Token value from the auth settings page.
Select "Test API Credentials", and confirm the message "the app was verified successfully" displays.
Select "Save" to be directed to SCIM App settings.
Enable both "Create Users" and "Deactivate Users", then "Save" your changes.
As a result of these changes, users who are assigned will be sent an invitation email. When a user is un-assigned, their membership object in Sentry will be deleted.
You can use "Push Groups" to sync and assign groups in Okta; they will be reflected in Sentry teams.
Known Issues / Troubleshooting
- Sentry does not currently support setting any User attributes other than
userName
andactive
. - The Import Users feature is not currently supported. Sentry's SCIM API does not at this time support the User
name
attribute fieldsfirstName
andlastName
. Instead, we return these with values ofN/A
for compatibility purposes. - Setting
active
tofalse
on a User will delete the organization member record associated with the user. - The only filter operation supported for resources is
eq
. - When provisioning a new team, Sentry will both normalize and convert the team
displayName
uppercase to lowercase, and convert spaces to dashes. - The GET /Groups endpoint will return a maximum of 10000 members in a group, see SCIM API documentation for more information.
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) to suggesting an update ("yeah, this would be better").