User provisioning with Okta
The Okta SCIM integration provides fine-tuned control of your Okta users in Front.
- Automatically create users in Front.
- Automatically block users when the Okta profile is suspended.
- Automatically map a new user to a Front teammate template, based on Okta roles.
To set up user provisioning with Okta, you must be a Company Admin.
Part 1: Enable SAML in Front settings
An API key is necessary for Okta and Front to communicate. This API key can be configured in your Front settings. You will then use this token in the Okta configuration to enable SCIM provisioning.
Click the gear icon on the top right of Front and into the Company settings tab, and select Plugins & API from the left menu.
Create a new token with the Auto Provisioning scope.
Copy the token from Front.
Part 2: Configure provisioning in Okta
Next, you will configure provisioning in Okta in order to start creating and blocking users in Front.
In Okta, expand the Applications menu in the sidebar. Select Applications, then search for "Front" in the app catalog. Click Add integration to add the Front app.
You will be prompted to enter a label for the app (e.g. "Front") and your Front subdomain.
From the Provisioning tab, select Integration, and click Configure API integration. Check the box next to Enable API integration.
In the API Token field, enter the Front API token you created in Steps 1-3.
Click Test API credentials to verify the credentials, then click Save.
Navigate back to the Provisioning tab, then click Edit. Ensure the following options are enabled:
- Create Users
- Update User Attributes
- Deactivate Users
Part 3: Provisioning with templates (optional)
If you want to automatically create your teammates with the correct access right, you will use specific Front teammate templates. This requires a little more configuration.
Click the gear icon on the top right of Front and into the Company settings tab, and select Teammates from the left menu.
Copy the Front Template ID.
Next you will need to configure Okta to use this template. You will need to configure the application User Profile in order for Okta to send this new attribute to Front.
From the Provisioning tab, scroll to the attributes mappings.
Go to the Profile Editor to add this new attribute. In the profile editor, click on Add attribute.
Ensure the fields are set up like the following:
- Data type: string
- Display name: Teammate Template
- Variable name: teammateTemplate
- External name: roles.^[type=='template'].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- Description: Template to automatically assign preferences when creating a user
- User permission: Read-Write
From there, you can go back to the profile editor displayed in Step 12. You should see the teammate template, but it is not mapped to any attribute.
- Click Mappings, then select the tab Okta users to Front in the popup to choose how you want to map this attribute
- In this example, we use Okta groups to map to the template ID you created in Front
- Okta provides more information about their expression framework here
When you assign a user to this application, it should show you the right template applied.
Okta user groups and Front Teammate templates
The best way to scale creating new users is to link Front Teammate template to Okta's user groups. When giving access to Front to an Okta user group, you can map templates to groups. Any Okta user added to this group will then be invited to Front with the right permissions based on the Teammate template mapped to the group.
What happens when I remove access to Front from Okta?
When you remove access to Front from Okta for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is deleted from Okta?
Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is moved to a new Front group in Okta?
Front user permissions are not updated. They would retain the permissions from their old role. For example, if a user is moved from "HR" to the "Recruiting" group in Okta, the user would keep the "HR" role in Front.
What happens if a user belongs to multiple Front groups in the Okta?
They will get the permissions of the first group in alphabetical order. For example, if a user belongs to “HR” and “Recruiting” groups in Okta, the user would be created with “HR” role in Front.
Does my username have to match Okta primary email?
When setting up your SCIM integration, UserName cannot be different from your Okta primary email. This field is used to match your existing Okta users to the corresponding Front teammates.
SCIM provisioning is available on the Scale plan. Some legacy plans with different names may also have this feature.