User provisioning with Okta
The Okta SCIM integration provides fine-tuned control of your Okta users in Front.
- Automatically create users in Front.
- Automatically block users when the Okta profile is suspended.
- Automatically map a new user to a Front teammate template, based on Okta roles.
To set up user provisioning with Okta, you must be a Company Admin.
Part 1: Enable SAML in Front settings
An API key is necessary for Okta and Front to communicate. This API key can be configured in your Front settings. You will then use this token in the Okta configuration to enable SCIM provisioning.
Click the gear icon on the top right of Front and into the Company settings tab, and select Plugins & API from the left menu.
Create a new token with the Auto Provisioning scope.
Copy the token from Front.
Part 2: Configure provisioning in Okta
Next, you will configure provisioning in Okta in order to start creating and blocking users in Front.
From the Provisioning tab in Okta, select Integration, and enable the API integration.
Enable the API integration
- SCIM URL = https://scim.frontapp.com/v2 (should be preconfigured)
- OAuth Bearer token = The token you created in Front, and copied
Verify the credentials.
Part 3: Provisioning with templates (optional)
If you want to automatically create your teammates with the correct access right, you will use specific Front teammate templates. This requires a little more configuration.
Click the gear icon on the top right of Front and into the Company settings tab, and select Teammates from the left menu.
Copy the Front Template ID.
Next you will need to configure Okta to use this template. You will need to configure the application User Profile in order for Okta to send this new attribute to Front.
From the Provisioning tab, scroll to the attributes mappings:
Go to the Profile Editor to add this new attribute. In the profile editor, click on Add attribute.
You will be prompted with the following fields to use:
- Display Name: Teammate Template
- Variable name: teammateTemplate
- warning External name: roles.^[type=='template'].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- Description: Template to automatically assign preferences when creating a user
From there, you can go back to the screen displayed in Step 11. You should see the teammate template, but it is not mapped to any attribute.
- Click on Edit and you can chose how you want to map this attribute
- In this example, we use Okta groups to map to the template ID you created in Front
- Okta provides more information about their expression framework here
When you assign a user to this application, it should show you the right template applied
Okta user groups and Front Teammate templates
The best way to scale creating new users is to link Front Teammate template to Okta's user groups. When giving access to Front to an Okta user group, you can map templates to groups. Any Okta user added to this group will then be invited to Front with the right permissions based on the Teammate template mapped to the group.
What happens when I remove access to Front from Okta?
When you remove access to Front from Okta for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is deleted from Okta?
Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is moved to a new Front group in Okta?
Front user permissions are not updated. They would retain the permissions from their old role. For example, if a user is moved from "HR" to the "Recruiting" group in Okta, the user would keep the "HR" role in Front.
What happens if a user belongs to multiple Front groups in the Okta?
They will get the permissions of the first group in alphabetical order. For example, if a user belongs to “HR” and “Recruiting” groups in Okta, the user would be created with “HR” role in Front.
Does my username have to match Okta primary email?
When setting up your SCIM integration, UserName cannot be different from your Okta primary email. This field is used to match your existing Okta users to the corresponding Front teammates.
SCIM provisioning is available on the Enterprise plan or above. Some legacy plans with different names may also have this feature.