User provisioning with Okta
The Okta SCIM integration provides fine-tuned control of your Okta users in Front.
- Automatically create users in Front.
- Automatically block users when the Okta profile is suspended.
- Automatically map a new user to a Front teammate template, based on Okta roles.
- Sync Azure AD Groups to teammate Groups in Front.
- Update user attributes.
To set up user provisioning with Okta, you must be a Company Admin.
Part 1: Enable SAML in Front settings
An API key is necessary for Okta and Front to communicate. This API key can be configured in your Front settings. You will then use this token in the Okta configuration to enable SCIM provisioning.
Click the gear icon on the top right of Front and into the Company settings tab, and select Developers from the left menu.
Create a new token with the Auto Provisioning scope.
Copy the token from Front.
Part 2: Configure provisioning in Okta
Next, you will configure provisioning in Okta in order to start creating and blocking users in Front.
In Okta, expand the Applications menu in the sidebar. Select Applications, then search for "Front" in the app catalog. Click Add integration to add the Front app.
You will be prompted to enter a label for the app (e.g. "Front") and your Front subdomain.
From the Sign On tab, select Email for the Application username format field, then click Save.
From the Provisioning tab, select Integration, and click Configure API integration. Check the box next to Enable API integration.
In the API Token field, enter the Front API token you created in Steps 1-3.
Click Test API credentials to verify the credentials, then click Save.
Navigate back to the Provisioning tab, then click Edit. Ensure the following options are enabled:
- Create Users
- Update User Attributes
- Deactivate Users
Part 3: Provisioning with templates (optional)
If you want to automatically create your teammates with the correct access, you will use specific Front teammate templates. This requires a little more configuration.
Click the gear icon on the top right of Front and into the Company settings tab, and select Teammates from the left menu.
Create a new teammate template.
Copy the Front template ID.
Next you will need to configure Okta to use this template. You will need to configure the application User Profile in order for Okta to send this new attribute to Front.
From the Provisioning tab, scroll to the attribute mappings.
Go to the Profile Editor to add this new attribute. In the profile editor, click on Add Attribute.
Ensure the fields are set up like the following:
- Data type: string
- Display name: Teammate Template
- Variable name: teammateTemplate
- External name: roles.^[type=='template'].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- Description: Template to automatically assign preferences when creating a user
- User permission: Read-Write
From there, you can go back to the profile editor displayed in Step 12. You should see the teammate template, but it is not mapped to any attribute.
- Click Mappings, then select the tab Okta users to Front in the popup to choose how you want to map this attribute
- In this example, we use Okta groups to map to the template ID you created in Front
- Okta provides more information about their expression framework here
When you assign a user to this application, it should show you the right template applied.
Part 4: Syncing Groups to teammate Groups (optional)
See this article for more information about syncing Groups from an Identity Provider, like Okta, to Front.
In Front, click the gear icon to navigate to Company settings. Click on Teammates, then go to the User provisioning tab.
Toggle on Enable Teammate Group Sync from your Identity Provider.
It is now possible to push Groups from Okta to Front. This is done from your Okta portal by navigating to your Front application and clicking on the Push Groups tab. For more information on managing Group push, see Okta’s Help Center article.
Okta user groups and Front Teammate templates
The best way to scale creating new users is to link Front Teammate template to Okta's user groups. When giving access to Front to an Okta user group, you can map templates to groups. Any Okta user added to this group will then be invited to Front with the right permissions based on the Teammate template mapped to the group.
What happens when I remove access to Front from Okta?
When you remove access to Front from Okta for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is deleted from Okta?
Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
Will a teammate's template be updated if user attributes are changed in Okta?
No, a new template cannot be applied after a teammate has been created. Teammate templates can only apply at the time a teammate is invited.
Does my username have to match Okta primary email?
When setting up your SCIM integration, UserName cannot be different from your Okta primary email. This field is used to match your existing Okta users to the corresponding Front teammates.
SCIM provisioning is available on the Scale plan or above. Some legacy plans with different names may also have this feature.