ContextQMD
Back to Cube

SCIM provisioning with Okta

docs-mintlify/admin/sso/okta/scim.mdx

1.6.434.9 KB
Original Source
<Note>

Available on Enterprise plan.

</Note>

Prerequisites

Before proceeding, ensure you have the following:

  • Okta SAML authentication already configured. If not, complete the SAML setup first.
  • Admin permissions in Cube Cloud.
  • Admin permissions in Okta to manage application integrations.

Enable SCIM provisioning in Cube Cloud

Before configuring SCIM in Okta, you need to enable SCIM provisioning in Cube Cloud:

  1. In Cube, navigate to Admin → Settings.
  2. In the SAML section, enable SCIM Provisioning.

Generate an API key in Cube Cloud

To allow Okta to communicate with Cube Cloud via SCIM, you'll need to create a dedicated API key:

  1. In Cube Cloud, navigate to Settings → API Keys.
  2. Create a new API key. Give it a descriptive name such as Okta SCIM.
  3. Copy the generated key and store it securely — you'll need it in the next step.

Enable SCIM provisioning in Okta

This section assumes you already have a Cube Cloud SAML app integration in Okta. If you haven't created one yet, follow the SAML setup guide first.

  1. In the Okta Admin Console, go to Applications → Applications and open your Cube Cloud application.
  2. On the General tab, click Edit in the App Settings section.
  3. Set the Provisioning field to SCIM and click Save.

Configure SCIM connection in Okta

  1. Navigate to the Provisioning tab of your Cube Cloud application.
  2. In the Settings → Integration section, click Edit.
  3. Fill in the following fields:
    • SCIM connector base URL — Your Cube Cloud deployment URL with /api/scim/v2 appended. For example: https://your-deployment.cubecloud.dev/api/scim/v2
    • Unique identifier field for usersuserName
    • Supported provisioning actions — Select Push New Users, Push Profile Updates, and Push Groups.
    • Authentication Mode — Select HTTP Header.
  4. In the HTTP Header section, paste the API key you generated earlier into the Authorization field.
  5. Click Test Connector Configuration to verify that Okta can reach Cube Cloud. Proceed once the test is successful.
  6. Click Save.

Configure provisioning actions

After saving the SCIM connection, configure which provisioning actions are enabled for your application:

  1. On the Provisioning tab, go to Settings → To App.
  2. Click Edit and enable the actions you want:
    • Create Users — Automatically create users in Cube Cloud when they are assigned in Okta.
    • Update User Attributes — Synchronize profile changes from Okta to Cube Cloud.
    • Deactivate Users — Deactivate users in Cube Cloud when they are unassigned or deactivated in Okta.
  3. Click Save.

Assign users and groups

For users and groups to be provisioned in Cube Cloud, you need to assign them to your Cube Cloud application in Okta. This is also required for group memberships to be correctly synchronized — pushing a group alone does not assign its members to the application.

  1. In your Cube Cloud application, navigate to the Assignments tab.
  2. Click Assign and choose Assign to Groups (or Assign to People for individual users).
  3. Select the groups or users you want to provision and click Assign, then click Done.
<Warning>

If users were assigned to the application before SCIM provisioning was enabled, Okta will show the following message in the Assignments tab: "User was assigned this application before Provisioning was enabled and not provisioned in the downstream application. Click Provision User."

To resolve this, click Provision User next to each affected user. This will trigger SCIM provisioning for them without needing to remove and re-add their assignment.

</Warning>

Push groups to Cube Cloud

To synchronize groups from Okta to Cube Cloud, you need to select which groups to push:

  1. In your Cube Cloud application, navigate to the Push Groups tab.
  2. Click Push Groups and choose how to find your groups — you can search by name or rule.
  3. Select the groups you want to push to Cube Cloud and click Save.

Default role for SCIM-provisioned users

Users created through SCIM receive the same default role configured for SAML auto-provisioning — there is no separate SCIM control. By default this is the Viewer role; to choose a different default role (including custom roles), see Default role for new users on the SAML setup page.

The default role only applies to users created by SCIM (POST /api/scim/v2/Users). Existing users are not modified by subsequent SCIM profile or group updates.