User provisioning with Okta


The Okta SCIM integration provides fine-tuned control of your Okta users in Front.

You can: 

  • Automatically create users in Front.
  • Automatically block users when the Okta profile is suspended.
  • Automatically map a new user to a Front teammate template, based on Okta roles.

To set up user provisioning with Okta, you must be a Company Admin.


Part 1: Enable SAML in Front settings

An API key is necessary for Okta and Front to communicate. This API key can be configured in your Front settings:

  • Go to your settings. (See #1)
  • Go on the menu “Plugins & API” and then, in the API menu. (See #2)
  • Create a new token with “auto provisioning” scope (see #3)
    • You can get your token value when you click on your token name (See #4)
  • Use this token in the Okta configuration to enable SCIM provisioning.

Step 1

Access your Settings in Front.

Step 2

Click into Plugins & API and on the API tab.

Step 3

Generate a new token with Auto Provisioning access.

Step 4

Copy the token from Front.

Part 2: Configure provisioning in Okta

In this part, you will configure provisioning in Okta in order to start creating and blocking users in Front.

Enabling the provisioning tab of the application (Step 5)

  • Click on integration
  • Enable the API integration
  • SCIM URL: (should be preconfigured)
  • OAuth Bearer token: <The token you created in Front, and copied>
  • That’s it!

Step 5

Enabling API integration in Okta

Step 6

Configuring API token in Okta

Step 7

Verifying access rights

Part 3: Provisioning with templates (optional)

If you want to automatically create your teammates with the correct access right, you will use specific Front teammate templates. This requires a little more configuration.

Step 8

Click into Settings, then into Teammates. Choose the Teammate templates tab and click on Add a template.

Step 9

Choose a name for your template and click on the Save button.

Step 10

Copy the Front Template ID. Configuring Okta to use this template

We need to configure the application User Profile in order for Okta to send this new attribute to Front. 

Step 11

From the provisioning tab, scroll to the attributes mappings:

Step 12

  • Go to the profile editor to add this new attribute
  • In the profile Editor, click on Add attribute

Step 13

You will be prompted with the following fields to use:

  • Display Name: Teammate Template
  • Variable name: teammateTemplate
  • warning External name: roles.^[type=='template'].value
  • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
  • Description: Template to automatically assign preferences when creating a user

Step 14

From there, you can go back to the screen displayed in Step 11. You should see the teammate template, but it is not mapped to any attribute.

  • Click on Edit and you can chose how you want to map this attribute
  • In this example, we use Okta groups to map to the template ID you created in Front
  • Okta provides more information about their expression framework here

Step 15

When you assign a user to this application, it should show you the right template applied 

Okta user groups and Front Teammate templates

The best way to scale creating new users is to link Front Teammate template to Okta's user groups. When giving access to Front to an Okta user group, you can map templates to groups. Any Okta user added to this group will then be invited to Front with the right permissions based on the Teammate template mapped to the group.

When you remove access to Front from Okta for a specific teammate, that teammate will be blocked. Should you re-authorize access to Front, the teammate will be unblocked automatically. Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.

What happens when someone is deleted from Okta?

Okta does not allow deleting via the integration, so users in Front are blocked, even if they are deleted in Okta.

What happens when someone is moved to a new Front group in Okta?

Front user permissions are not updated. They would retain the permissions from their old role. For example, if a user is moved from "HR" to the "Recruiting" group in Okta, the user would keep the "HR" role in Front.

What happens if a user belongs to multiple Front groups in the Okta?

They will get the permissions of the first group in alphabetical order. For example, if a user belongs to “HR” and “Recruiting” groups in Okta, the user would be created with “HR” role in Front.

Does my username have to match Okta primary email?

When setting up your SCIM integration, UserName cannot be different from your Okta primary email. This field is used to match your existing Okta users to the corresponding Front teammates.


SCIM provisioning is available on the Enterprise plan or above. Some legacy plans with different names may also have this feature. 

Reply Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
Like Follow
  • 2 mths agoLast active
  • 533Views
  • 1 Following