monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local facebook communities
Join this community to find monday.com members near you
Global facebook communities
Join one of your most active social communities - the global monday group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Non Profit community
Give back to the community by working with a NGO or non-profit. Join our exclusive program
Support
Contact sales
Get started
What can we help you with?
  1. Support
  2. Profile and Admin
  3. The Admin Section
SCIM Provisioning of Users and Teams with OKTA
    Was this article helpful?

    SCIM Provisioning of Users and Teams with OKTA

    6 min read
    Feature

     

    System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

    To set up SCIM provisioning in Okta you will need to have the involvement of both the monday.com admin and the manager of your Okta account. 

     

    SCIM capabilities supported in monday.com

    • Provisioning of Users
    • Deprovisioning of Users
    • Provisioning of Teams
    • Deprovisioning of Teams
    • Team Renaming
    • Updating User Details
    • Assigning Users to Teams
    • Unassigning Users from Teams
    • Changing User’s Password

     

    Configuration

    • Step 1 - Add monday.com to Okta

    Go to your Okta admin page and switch to the "Classic UI" by clicking on the developer console:

    image_1.png

    Then click on applications, click add app, and search for monday.com in the app store:

    Group_9__8_.png

     

    • Step 2 - Go to Provisioning

    Go to the Okta Admin page and select the monday.com application from the list. Then select the tab “Provisioning”

    Group_9__9_.png

    Then click on the settings tab “Integration” and then "Configure API Integration":

    Group_11__1_.png

     

    • Step 3 -  Go to the monday.com admin section to retrieve the provisioning token

    To do this, open up your monday.com account and click on your profile picture in the bottom left corner and then select "Admin". From the admin section of your account, click on "Security" and the left side and then into the SCIM section.

    Group_9__11_.png

    Here you can generate a token and then copy and paste it into Okta. 

     

    • Step 4 - Enable Provisioning

    Paste the API Token into Okta and test the API Credentials:

    image_1__20__1.png

    Once you receive verification that the credentials are valid, click save

     

    • Step 5 - Complete your setup

    Click on the "To App" tab in the settings and enable all of the abilities you will need to work with monday.com.

    Group_9__12_.png

     

    Set up user provisioning

    Go to the assignments tab under your monday.com app and then click on assign and choose to assign people or groups to the monday.com app. 

    Group_9__13_.png

    Note: If you de-provision a user from the monday.com app, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count

      

    User attributes

    These fields are supported for mapping user attributes:

    • Name (can’t contain special characters)
    • Email (must be lowercase)
    • userType (admin, member, viewer, guest, custom roles)
    • Title (user’s position listed in Profile Section)
    • Active (whether or not a user is enabled or disabled)
    • Timezone
    • Locale (Language)
    • Phone number
    • Address
    Note: The username should always be the user’s email address.

     

    Do note, when using Okta for both SCIM provisioning and SSO login:

    • When a user is created via SCIM provisioning, their email can be mapped to any valid email field you choose, but the email used during SSO login is always the 'user.email'
    • If you intend to use SSO login in addition to SCIM provisioning, you need to ensure the email used for SCIM provisioning is mapped to 'user.email' or to a field that holds an equivalent value

     

    Set up user type attribute

    You can provision the monday.com user type by creating a custom attribute in Okta.

    The optional user types are:

    • admin
    • member
    • viewer
    • guest
    • or custom role id

     

    To set up SCIM provisioning to support custom roles as user types:

    1. Configure the relevant custom role on monday.com as described in this article.
    2. Copy the custom role ID. This can be done from the account permissions center, by clicking on the three-dot menu right next to the role name and then "Copy ID", as shown below.

    Group_1_-_2023-01-12T114829.796.png

    Note: You can read all about monday.com user types in this article.

     

     

    Steps:

    1. Click the Directory tab, then select Profile Editor
    2. Click the Add Attribute button
    3. Fill out the fields and click Save (at the bottom):

    mceclip0_1__1_.png

    Note: External name value should be "userType" and External namespace is "urn:ietf:params:scim:schemas:core:2.0:User"


    Set up team provisioning

    What does it mean to push a group into monday.com? When you push a group into monday.com you will create a new team in your account with all the users that are assigned to that group in Okta. 

    Important Note: If you assign a group to monday.com app within Okta, and there is a monday.com team with the same name, then the Okta group will replace it.
    For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access non-intendedly.

     

    Before pushing a group into monday.com, first, make sure to assign the group to the monday.com account. It is important to assign the group before you push the group because the group cannot be pushed unless all the users in the group are already in the monday.com account. 

    Steps:

    1. Assign the group to your monday.com account

    2. Click on the Push Groups tab and click the button “Push Groups”

    Group_8__2_.png

    3. Select the group you would like to push into monday.com and click "Save"

    Group_8__3_.png

     

    Error Handling

    Please find the below table that contains error codes and their possible reason. Check out the third column for resolution suggestions:

    image 1 - 2023-08-23T151258.141.png

     

    FAQs

    We've outlined a list of SCIM-related frequently asked questions for you. Click on this link here to check them out!

     

     


     

    If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

    Lea Serfaty - Quality check

    Comments