Set up SCIM with Okta EnterpriseEnterprise +
System for Cross-Domain Identity Management (SCIM) license mapping is currently only supported for Okta. For other providers, license types must be managed within the dbt platform user interface.
Prerequisites
- Available on Enterprise or Enterprise+ plans.
- You must use Okta as your single sign-on (SSO) provider and have it connected in the dbt platform.
- You must have permissions to configure the account settings in dbt platform.
- Complete setup SSO with Okta before configuring SCIM settings.
- Complete the Set up SCIM to get your SCIM base URL and token.
Set up Okta
-
Log in to your Okta account and locate the app configured for the dbt SSO integration.
-
Navigate to the General tab and ensure Enable SCIM provisioning is selected or the Provisioning tab will not be displayed.
Enable SCIM provisioning in Okta. -
Open the Provisioning tab and select Integration.
-
Enter the SCIM base URL from Set up SCIM in the first field, then enter your preferred Unique identifier field for users — we recommend
userName. -
Select the boxes for the following Supported provisioning actions:
- Push New Users
- Push Profile Updates
- Push Groups
- Import New Users and Profile Updates (Optional for users created before SSO/SCIM setup)
-
From the Authentication mode dropdown, select HTTP Header.
-
In the Authorization section, enter the token from dbt into the Bearer field.
The completed SCIM configuration in the Okta app. -
Ensure the following provisioning actions are selected:
- Create Users
- Update User Attributes
- Deactivate Users
Ensure the users are properly provisioned with these settings. -
Test the connection and click Save once completed.
You've now configured SCIM for the Okta SSO integration in dbt platform. You can manage user licenses with SCIM to set license type for users as they are provisioned.
SCIM username format
For dbt platform SCIM with Okta, userName must be the email address format. dbt platform uses userName to look up existing users during SCIM sync. If Okta sends another format (such as an Okta internal ID like 00u... or an employee ID), dbt platform cannot match the existing user, and provisioning will fail.
If your Okta configurations map the Username field to a different attribute, set your Okta app config to Email:
- Open the SAML app created for the dbt integration.
- In the Sign on tab, click Edit in the Settings pane.
- Set the Application username format field to Email.
- Click Save.
When you use both SSO and SCIM with Okta, the SAML Application username format must be Email. SCIM requires userName in email address format, and it must be the same value as the email attribute so users match between SSO and provisioning.
SCIM license mapping
To automate seat assignments in Okta for users as they are provisioned, see Manage user licenses with SCIM.
Existing Okta integrations
If you are adding SCIM to an existing Okta integration in dbt (as opposed to setting up SCIM and SSO concurrently for the first time), be aware of the following behavior:
- Users and groups already synced to dbt will become SCIM-managed once you complete the SCIM configuration.
- (Recommended) Import and manage existing dbt groups and users with Okta's Import Groups and Import Users features. Update the groups in your IdP with the same naming convention used for dbt groups. New users, groups, and changes to existing profiles will be automatically imported into dbt.
- Ensure the Import users and profile updates and Import Groups boxes are selected under the Provisioning settings tab in the Okta SCIM configuration.
- Use Import Users to sync all users from dbt, including previously deleted users, if you need to re-provision those users.
- Read more about this feature in the Okta documentation.
To set license type for users as they are provisioned, see Manage user licenses with SCIM.
Was this page helpful?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
