User provisioning with Okta
The Okta SCIM integration provides fine-tuned control of your Okta users in Front.
- Automatically create users in Front.
- Automatically block users when the Okta profile is suspended.
- Automatically map a new user to a Front teammate template, based on Okta roles.
To set up user provisioning with Okta, you must be a Company Admin.
Part 1: Enable SAML in Front settings
An API key is necessary for Okta and Front to communicate. This API key can be configured in your Front settings:
- Go to your settings. (See #1)
- Go on the menu “Plugins & API” and then, in the API menu. (See #2)
- Create a new token with “auto provisioning” scope (see #3)
- You can get your token value when you click on your token name (See #4)
- Use this token in the Okta configuration to enable SCIM provisioning.
Access your Settings in Front.
Click into Plugins & API and on the API tab.
Generate a new token with Auto Provisioning access.
Copy the token from Front.
Part 2: Configure provisioning in Okta
In this part, you will configure provisioning in Okta in order to start creating and blocking users in Front.
Enabling the provisioning tab of the application (Step 5)
- Click on integration
- Enable the API integration
- SCIM URL: https://scim.frontapp.com/v2 (should be preconfigured)
- OAuth Bearer token: <The token you created in Front, and copied>
- That’s it!
Enabling API integration in Okta
Configuring API token in Okta
Verifying access rights
Part 3: Provisioning with templates (optional)
If you want to automatically create your teammates with the correct access right, you will use specific Front teammate templates. This requires a little more configuration.
Click into Settings, then into Teammates. Choose the Teammate templates tab and click on Add a template.
Choose a name for your template and click on the Save button.
Copy the Front Template ID. Configuring Okta to use this template
We need to configure the application User Profile in order for Okta to send this new attribute to Front.
From the provisioning tab, scroll to the attributes mappings:
- Go to the profile editor to add this new attribute
- In the profile Editor, click on Add attribute
You will be prompted with the following fields to use:
- Display Name: Teammate Template
- Variable name: teammateTemplate
- warning External name: roles.^[type=='template'].value
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
- Description: Template to automatically assign preferences when creating a user
From there, you can go back to the screen displayed in Step 11. You should see the teammate template, but it is not mapped to any attribute.
- Click on Edit and you can chose how you want to map this attribute
- In this example, we use Okta groups to map to the template ID you created in Front
- Okta provides more information about their expression framework here
When you assign a user to this application, it should show you the right template applied
Okta user groups and Front Teammate templates
The best way to scale creating new users is to link Front Teammate template to Okta's user groups. When giving access to Front to an Okta user group, you can map templates to groups. Any Okta user added to this group will then be invited to Front with the right permissions based on the Teammate template mapped to the group.
What happens when I remove access to Front from Okta?
When you remove access to Front from Okta for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is deleted from Okta?
Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.
What happens when someone is moved to a new Front group in Okta?
Front user permissions are not updated. They would retain the permissions from their old role. For example, if a user is moved from "HR" to the "Recruiting" group in Okta, the user would keep the "HR" role in Front.
What happens if a user belongs to multiple Front groups in the Okta?
They will get the permissions of the first group in alphabetical order. For example, if a user belongs to “HR” and “Recruiting” groups in Okta, the user would be created with “HR” role in Front.
Does my username have to match Okta primary email?
When setting up your SCIM integration, UserName cannot be different from your Okta primary email. This field is used to match your existing Okta users to the corresponding Front teammates.
SCIM provisioning is available on the Enterprise plan or above. Some legacy plans with different names may also have this feature.