> ## Documentation Index
> Fetch the complete documentation index at: https://statsig-4b2ff144-serverless-cloudflare.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SCIM Setup

This guide outlines the process for setting up SCIM (System for Cross-domain Identity
Management) integration between Statsig and Okta. This integration allows for automated
user provisioning and management.

## Prerequisites

* An Okta account with admin access
* A SCIM Key from the [Statsig Console](/access-management/scim/overview#how-to-obtain-scim-auth-key) (requires Statsig Org Admin rights)

<Note>
  ### Integration Notes

  * User email management is not enabled on SCIM yet.
  * When a user is removed from Statsig, they will be automatically unassigned in Okta. Conversely, if a user is unassigned or deactivated in Okta, they will be removed from the Statsig Organization.
  * Creation of Statsig Projects and Roles is not supported via SCIM.
</Note>

## Step 1: Create a New App Integration in Okta

* Log in to your Okta admin console
* Navigate to Applications > Applications > Create App Integration
* Select "SWA - Secure Web Authentication"

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step1-create-new-custom-integration.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=115af48de49eeaa6544437da5fba53ef" alt="img" width="2078" height="1378" data-path="images/okta_scim_steps/step1-create-new-custom-integration.png" />
</Frame>

## Step 2: Configure App Settings

* Set the App name to "Statsig SCIM"
* Enter a placeholder URL for the App Login Page (this is a required field but not used for SCIM). Ex: `https://console.statsig.com/`

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step2-configure-app-settings.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=d44522903352c46c757b8bea269361e0" alt="img" width="1514" height="1308" data-path="images/okta_scim_steps/step2-configure-app-settings.png" />
</Frame>

## Step 3: Enable SCIM Provisioning

* After creating the integration, go to the "General" tab
* Click on "Edit" in the "Provisioning" section
* Enable "SCIM Provisioning"

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step3-enable-scim.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=7f092729f84a9afd94f7afcf35f4cc39" alt="img" width="1538" height="1326" data-path="images/okta_scim_steps/step3-enable-scim.png" />
</Frame>

## Step 4: Configure SCIM Settings

:::info

`Import Groups` requires an Okta flag `SELECTIVE_APP_IMPORT_PLATFORM`. If this flag is enabled for your organization, please select this option. If it is not, leave it unchecked.

:::

* Navigate to the `Provisioning` tab
* Set the SCIM connector base URL to: [https://statsigapi.net/scim](https://statsigapi.net/scim)
* Set "Unique identifier field for users" to `userName`
* Enable
  * `Import New Users and Profile Update`
  * `Push New Users`
  * `Push Profile Updates`
  * `Push Groups`
  * `Import Groups` (Only if your organization has the `SELECTIVE_APP_IMPORT_PLATFORM` flag enabled, see note above)
* Set the authentication mode to "HTTP Header"
* For the authorization header, use the SCIM Bearer token generated in Statsig by your Org Admin. See [How to Obtain SCIM Auth Key](/access-management/scim/overview#how-to-obtain-scim-auth-key) for more details.

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step4.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=3fa113ab9243d73e33930d5aeb0211dd" alt="img" width="2038" height="1836" data-path="images/okta_scim_steps/step4.png" />
</Frame>

## Step 5: Configure Okta to Statsig Settings

* Enable "Create Users"
* Enable "Update User Attributes"
* Enable "Deactivate Users"

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step5-configure-okta-to-statsig-settings.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=46f2ea39da771d731ecd9fd151beb84f" alt="img" width="2038" height="1766" data-path="images/okta_scim_steps/step5-configure-okta-to-statsig-settings.png" />
</Frame>

## Step 6: Import Existing Statsig Users and Groups

* In Okta, go to the Statsig app's "Import" tab
* Click "Import Now" to fetch existing Statsig users and groups
* Process the imported users as needed

<Frame>
  <img src="https://mintcdn.com/statsig-4b2ff144-serverless-cloudflare/07-Ip8yoBF41fH_r/images/okta_scim_steps/step6-import-existing-users.png?fit=max&auto=format&n=07-Ip8yoBF41fH_r&q=85&s=4ee46496174d9425f07f7938bcbdfdc9" alt="img" width="2040" height="1440" data-path="images/okta_scim_steps/step6-import-existing-users.png" />
</Frame>
