System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in Okta you will need to have the involvement of both the monday.com admin and the manager of your Okta account. 

SCIM capabilities supported in monday.com

• Provisioning of Users
• Deprovisioning of Users
• Provisioning of Teams
• Deprovisioning of Teams
• Team Renaming
• Updating User Details
• Assigning Users to Teams
• Unassigning Users from Teams
• Changing User’s Password

Configuration

Step 1 - Add monday.com to Okta

Go to your Okta admin page and switch to classic UI by clicking on the developer console:

Then click on applications, click add app, and search for monday.com in the app store:

Step 2 - Go to Provisioning

Go to the Okta Admin page and select the monday.com application from the list. Then select the tab “Provisioning”

Then click on the settings tab “Integration”. Click on configure API Integration:

Step 3 -  Go to monday.com admin section to retrieve the provisioning token

• Open up your monday.com account
• Click on your avatar > admin
• Go to the security page
• Click on SCIM

Here you can generate a token and then copy and paste it into Okta. 

Step 4 - Enable Provisioning

Paste the API Token into Okta and test the API Credentials:

Once you receive verification that the credentials are valid, click save

Step 5 - Complete your setup

Click on the To App tab in the settings and enable all of the abilities you will need to work with monday.com

Set Up User Provisioning

Go to the assignments tab under your monday.com app and then click on assign and choose to assign people or groups to the monday.com app. 

Note: If you deprovision a user from the monday.com app, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count

User Attributes

These fields are supported for mapping user attributes:

• Name (can’t contain special characters)
• Email (must be lowercase)
• userType (admin, member, viewer, guest)
• Title (user’s position listed in Profile Section)
• Active (whether or not a user is enabled or disabled)
• Timezone
• Locale (Language)
• Phone number
• Address

Note: Username should always be the user’s email address.

Set Up User Type Attribute

You can provision the monday.com user type by creating a custom attribute in Okta.

The optional user types are:

• admin
• member
• viewer
• guest

Note: Read all about monday.com user types in this article.

Steps:

1. Click the Directory tab, then select Profile Editor

2. Click the Add Attribute button

3. Fill out the fields and click Save (at the bottom):

Note: External name value should be "userType" and External namespace is "urn:ietf:params:scim:schemas:core:2.0:User"

Set Up Team Provisioning

What does it mean to push a group into monday.com? When you push a group into monday.com you will create a new Team in your account with all the users that are assigned to that group in Okta. 

Important Note: If you assign a group to monday.com app within Okta, and there is a monday.com team with the same name, then the Okta group will replace it.
For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access non-intendedly.

Before pushing a group into monday.com, first, make sure to assign the group to the monday.com account. It is important to assign the group before you push the group because the group cannot be pushed unless all the users in the group are already in the monday.com account. 

Steps:

1. Assign the group to your monday.com account

2. Click on the Push Groups tab and click the button “Push Groups”

3. Select the group you would like to push into monday.com and press save

FAQs

• What happens if the admin who set up the initial SCIM token is no longer admin (their user type changed or they were deactivated)?

If the original admin who created the SCIM provisioning token on your account was deactivated or changed to a different user type (member, guest, or viewer), SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the account can generate a new token and enter it into the identity provider.

• How can an admin generate a new SCIM token?

  • To generate a new SCIM token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.

    

    After entering this token into your identity provider, you should be all set!

• What happens if I change my personal attributes in my monday.com account? 

The sync with Okta is a one-way sync, and any changes made to a user profile in the monday.com profile or teams page will be overwritten the next time Okta syncs with your account. 

What does this mean? 

• To change any attributes of the user profile you will need to update them in Okta
• In order to add users to teams or remove users from teams created by Okta (see: push groups), you will need to make these changes in Okta
• If you create a Team in monday.com that is not a group in Okta it will not be affected by the groups in Okta. 

• What happens if I add users to a team in my monday.com account? 

If that team is provisioned by Okta, these users will eventually be kicked out of the team and replaced by users that are provisioned to the matching Okta Group, otherwise when you add users to a team in your monday.com account, they will remain in that team.

If you have any questions, please reach out to our team by using our contact form. We're available 24/7 and happy to help!