Skip to main content

Whether you’re looking for quick answers or in-depth guidance, our resources are here to assist you effectively.

SSO and SCIM with Okta: Setup Guide

Why SSO? 

Single Sign-On (SSO) integration allows your team to access SiftHub using their existing Okta credentials, eliminating the need for separate logins while ensuring secure access. This provides centralized authentication and enhanced security for your organization.

Why SCIM? 

SCIM (System for Cross-domain Identity Management) automates user provisioning and management in SiftHub directly from your Okta dashboard. This means when you add, deactivate or update users in Okta, their SiftHub access is automatically managed, saving significant IT administration time.

Are both necessary? 

While you can implement SSO without SCIM, we recommend using both for complete user lifecycle management. Here's what happens with SSO alone:

  • Users can log in to SiftHub using Okta credentials
  • BUT new users still need to be manually created in SiftHub as well as provisioned to access SiftHub in Okta
  • When employees leave, their SiftHub accounts need manual deactivation

Using both SSO and SCIM automates the entire user lifecycle, from creation through updation to deletion, making it the recommended setup for enterprises.

This guide will walk through step by step instructions of how to set up SSO/SCIM using Okta for your SiftHub account.

Prerequisites 

Before starting the setup, ensure you have:

  • Administrator access to your Okta account
  • Access to the "Security" > "Authentication" section in the "Settings" panel of the SiftHub Account. 

(This is usually visible to users having the 'Account Owner' and 'Security Admin' roles in SiftHub. If the Account Owner has administrator access in Okta, they are equipped with the requisite permissions to complete the process. Otherwise, add the Okta administrator of your organization as a user in SiftHub with the Security Admin role. This user can be removed from SiftHub subsequently if you prefer so as to not consume an account license.)

  • Valid login credentials (email and password) for SiftHub. (These will be deprecated once SSO with Okta is set up)

This guide will walk through step-by-step instructions of how to set up SSO/SCIM using Okta for your SiftHub account.

Step 1. Configure SiftHub SAML app integration in Okta

Before you can enable SSO for your organization’s users in SiftHub, add SiftHub as a SAML app integration to Okta.

  1. In the Okta Admin Console, go to Applications > Applications.



  2. Click “Create App Integration”.



  3. Select SAML 2.0 as the Sign-in method and Click “Next”.



  4. While filling out the general information for the integration, add the name as ‘SiftHub’ (recommended for easy identification). Click “Next”.


  5. Once you fill in the General Settings, click “Next” and proceed to Configure SAML.
  6. Now, log in to an Account Owner or Security Admin profile in SiftHub web app and go to Settings > Security.
  7. Click “Set up SSO”.
  8. Copy the Service Provider Details for your organization’s connection from SiftHub and paste them over to the corresponding fields in Okta. Click “Next”.
  9. Configure your app integration in Okta:
    - Select ‘I'm an Okta customer adding an internal app’.

- Select ‘This is an internal app that we have created’. 

- Click “Finish”.


Your integration is successfully created in your Okta org. You can modify your integration's parameters and assign it to users.

  1. Click “Test Connection”. If everything is done correctly, you will see a Success response as shown below.
    If the connection fails, you’ll see an error, the reason for the error, and a way to solve that error right on the screen.
  2. Note: Before completing this step, ensure you have assigned the SiftHub SAML app integration to your own user in Okta to avoid being locked out of your account.
  3. Proceed to Configure Attributes in Okta.

    Add the Name and Value fields for the below Attributes in Okta:

    i. Name: email | Value: user.email
    ii. Name: firstName | Value: user.firstName
    iii. Name: lastName | Value: user.lastName

  4. Go to the Assignments tab of the new SAML app you have created in Okta.

  5. Click “Assign” on the top navigation bar, select “Assign to Groups”.
    Recommended best practices for provisioning access to apps in Okta are to
    - Create a Group called ‘SiftHub’
    - Add all users to whom you want to provide access to SiftHub including any existing Active or Invited users in SiftHub for your organization as well as your own user in this corresponding Group, and
    - Assign the SiftHub SAML integration to the ‘SiftHub’ Group in Okta.

  6. If you want to continue assigning to individual users anyway, click “Assign to People” and click “Assign” next to the people you want to assign it to. Ensure that you have assigned the app to yourself to persist your current active session in SiftHub and avoid being locked out of your account. Click on Save and Go Back, and click on Done.

    Please ensure that you assign the SiftHub SAML integration in Okta to all of your organization’s existing users in SiftHub to ensure they can log back via SSO using their Okta credentials.

  7. A SAML Assertion is generated for the app. Click Next.
  8. An optional feedback screen is shown. Click Finish.
  9. On the Sign On tab of the SAML app you created, copy the “Metadata URL” from the “Metadata Details” section on Okta Admin Console.


  10. Under Identify Provider Configuration, select Configure using Metadata URL, and paste it under App Federation Metadata URL on the SSO Configuration Portal. Click “Update”.

Step 2. Set up SCIM provisioning in SiftHub using Okta

  1. Go to the Okta admin dashboard and navigate to "Applications" in the main menu.
  2. Search for "SCIM 2.0 Test App (OAuth Bearer Token)" and select the corresponding result.
  3. Click "Add Integration" on the subsequent page.
  4. Provide a descriptive name for the app such as SiftHub SCIM, then proceed by clicking "Next".
    Complete the application creation process by clicking "Done".
  5. Now log in to an Account Owner or Security Admin profile in SiftHub. Note that SSO setup needs to be completed before you can enable SCIM provisioning. Go to Settings > Security and click “Set up SCIM”.
  6. Under Directory Details, copy the Endpoint URL and Bearer Token for your organization. These allow SiftHub to listen to events and maintain synchronization with your organization.
  7. In your application's Enterprise Okta admin panel, navigate to the "Provisioning" tab and select "Configure API Integration".
  8. Paste the Endpoint URL and Bearer Token from SiftHub into the SCIM 2.0 Base URL field and OAuth Bearer Token field in Okta, respectively.
  9. Verify the configuration by clicking "Test API Credentials," then save the settings.
  10. Give provisioning permissions to the API integration. This is necessary to allow Okta to send and receive events to the app. Upon successful configuration, the Provisioning tab will display a new set of options. These options will be utilized to complete the provisioning process for your application.

    In the "To App" navigation section, enable the following options:
  • Create Users
  • Update User Attributes
  • Deactivate Users

After enabling these options, click "Save" to apply the changes.These settings allow Okta to perform user provisioning actions in your application, including creating new user accounts, updating existing user information, and deactivating user accounts when necessary.

  1. To assign users to the SAML Application, recommended best practices for provisioning access to apps in Okta are to
    - Create a Group called ‘SiftHub’
    - Add all users to whom you want to provide access to SiftHub including any existing Active or Invited users in SiftHub for your organization as well as your own user in this corresponding Group, and
    - Assign the SiftHub SAML integration to the ‘SiftHub’ Group in Okta.

    To push groups and sync group membership:

i. Navigate to the "Push Groups" tab.

ii. Fom the "Push Groups" dropdown, select "Find groups by name".

iii. Search for and select the group you want to push.

iv. Ensure the "Push Immediately" box is checked.

v. Click "Save".



  1. If you want to continue assigning to individual users anyway
    i. Navigate to the "Assignments" tab.
    ii. From the "Assign" dropdown, select "Assign to People".
    iii. Choose the users you want to provision and click "Assign."
    iv. A form will open for each user. Review and populate the user's metadata fields.
    v. Scroll to the bottom and click "Save and Go Back."
    vi. Repeat this process for all users, then select "Done."

  2. You can also optionally push the users and groups that you wish to assign to SiftHub, and map to the appropriate roles. Unassigned users will receive the default role.
  3. Okta recommends using separate groups for push groups and group assignments to ensure accurate membership reflection. Without this separation, manual group pushes may be required for membership changes.

    After completing these steps, verify that the users and groups are successfully synced in the Administrator Portal.

You have successfully completed the setup for SSO and SCIM for your organization’s users to access SiftHub using their Okta credentials.