This feature is only available to customers on Pro and Premier plans. To upgrade, contact your Customer Success Manager or email@example.com.
SCIM provisioning allows you to:
- Create users in Heap
- Update users in Heap
- Remove users in Heap
All from Okta’s UI.
Okta offers ease of access, the ability to quickly block credentials for departed team members, multi-factor authentication, and more.
To set up SCIM provisioning with Okta, you’ll need to have the following:
- An existing Okta SSO configuration
- Admin access to your organization’s Heap account
- Administrator rights in your organization’s Okta account
If you set up your Heap application in Okta prior to April 2022 you will need to delete your existing Okta configuration and then create a new application using the instructions above in order to enable SCIM in your account.
Note that once SCIM provisioning is enabled, you will be unable to add or remove teammates in Heap and can only add or remove them via Okta.
To set up SCIM provisioning via Okta, complete these steps:
1. Login to your Okta account
2. Click Admin
3. Click the Heap application
4. In the Sign On tab, ensure that Application username format is set to Email
5. Go to the Provisioning tab and click Configure API Integration
6. In Heap, go to Account > Manage > General Settings
7. Click Enable SCIM Provisioning in the Single Sign-On section
8. Select the role you would like new users to be given by default. This can be edited later and individual users can be given different roles after they have been added to Heap.
9. Copy the Bearer Token
10. In Okta, toggle Enable API Integration and paste the Bearer Token into the API Token field, then click Save
11. In the Provisioning Section, click on the To App tab and click Edit. Then enable the SCIM functionality you would like to support. It is recommended that you toggle all three options. Then click Save.
SCIM provisioning has now been enabled. Assigning new users to Heap in Okta will automatically create their account and revoking access will automatically delete their account.
Tips and Troublehsooting
- Deactivating a user in Okta will result in the user being removed from Heap. When the user is reactivated their account will be recreated in Heap.
- We do not currently support updating a user’s email or Okta userName once it has been set. Trying to update a user’s email will result in a new, separate account being created for the new email.
Managing user roles from Okta
By default all users will be assigned to the default role you selected when setting up SCIM provisioning. However, you can also assign roles to users using the Heap Role parameter in the Provisioning -> To App tab in Okta.
If a user has a value for this parameter then their account will be given that role in Heap. If they do not have a value for this parameter or this parameter is disabled then they will be given the default role.
The Heap Role should exactly match the name of the role in Heap that you want to assign to the user. If this value is updated in Okta, the user’s role will also be updated in Heap. However, the user’s role may also be changed in the Heap UI and this will not be reflected in the Okta parameter.