Set up SCIM with Okta
Step-by-step guide to connect Okta to Scrydon via SCIM 2.0 for automated user and group provisioning.
This guide walks you through connecting Okta to Scrydon so that users and groups in Okta are automatically provisioned into your Scrydon organization.
Prerequisites
- Scrydon org admin role.
- Okta tenant with Super Admin privileges (or a custom admin role that can create and configure applications with provisioning).
- SSO already configured between Okta and Scrydon. Finish SSO setup from
Settings → Platform → Identity → Single Sign-Onbefore continuing.
Okta's SCIM integration reuses the same Okta application that hosts the SSO connection. Do not create a second application for SCIM — configure provisioning on the existing Scrydon app.
Part 1 — Generate a Scrydon SCIM token
Open the Identity settings page
Sign in to Scrydon as an org admin and navigate to
Settings → Platform → Identity.
Switch to the Provisioning tab
Click the Provisioning (SCIM) tab next to Single Sign-On.
Copy the SCIM endpoint URL
Under SCIM Endpoint, copy the Tenant URL. It looks like:
https://auth.YOUR-TENANT.scrydon.com/api/auth/scim/v2Generate a provisioning token
Click Generate Token. Enter a label such as okta-prod and click Generate.
The raw token is shown exactly once. Copy it immediately. Scrydon cannot display it again.
Part 2 — Enable provisioning in Okta
Open the Scrydon application in Okta
Sign in to the Okta admin console and navigate to Applications → Applications. Open the Scrydon application you created during SSO setup.
Open the Provisioning tab
Click the Provisioning tab at the top of the application page.
Configure the SCIM integration
Click Configure API Integration. Check Enable API integration.
Two fields appear:
| Field | Value |
|---|---|
| SCIM 2.0 Base URL | The Tenant URL from Scrydon, e.g. https://auth.YOUR-TENANT.scrydon.com/api/auth/scim/v2 |
| OAuth Bearer Token | The raw token you generated in Part 1 |
Test the API credentials
Click Test API Credentials. Okta sends a request to Scrydon's
/scim/v2/ServiceProviderConfig endpoint.
On success, you'll see "The API credentials were verified successfully."
If the test fails: verify the Base URL ends in /scim/v2 (no trailing
slash), the bearer token has no extra whitespace, and the token has not
been revoked in Scrydon.
Save the integration
Click Save. Additional provisioning sub-tabs appear: To App and To Okta.
Part 3 — Enable provisioning features
Open the "To App" settings
Click Provisioning → To App → Edit.
Enable the supported operations
Enable these operations:
- ✅ Create Users — creates a user in Scrydon when they are assigned in Okta
- ✅ Update User Attributes — propagates attribute changes (name, etc.)
- ✅ Deactivate Users — deactivates the user in Scrydon when unassigned in Okta
- ❌ Sync Password — do not enable. Scrydon users authenticate via SSO, not via SCIM-synced passwords. Leave this off.
Click Save.
Review the attribute mappings
Scroll down to the Scrydon Attribute Mappings section. The default mappings are compatible with Scrydon; specifically verify:
| Scrydon attribute | Mapping |
|---|---|
userName | user.login or user.email |
emails[type eq "work"].value | user.email (required) |
name.givenName | user.firstName |
name.familyName | user.lastName |
externalId | user.id (Okta's stable identifier) |
Scrydon uses email as the primary reconciliation key. Users with the same email address that already exist in Scrydon will be automatically linked rather than duplicated.
Part 4 — Assign users and groups
Open the Assignments tab
Click the Assignments tab on the Scrydon application in Okta.
Assign users or groups
Click Assign → Assign to People (for individual users) or Assign → Assign to Groups (for groups).
Search for the users or groups you want to provision. Click Assign next to each, then Done.
Push Okta groups to Scrydon
Click the Push Groups tab.
Click Push Groups → Find groups by name, enter the group name, and click Save. Okta starts syncing the group and its members to Scrydon.
Pushed Okta groups become Scrydon Teams. The group's display name in Okta becomes the team name in Scrydon.
Part 5 — Verify the sync
Check users in Scrydon
In Scrydon, navigate to Settings → Organization → Members. The assigned
Okta users should appear within a minute or two of assignment.
Check teams in Scrydon
Navigate to Settings → Organization → Teams. The pushed Okta groups
should appear as Scrydon Teams with the correct member lists.
Check the audit log
Navigate to Settings → Platform → Audit Logs and filter on events
starting with scim.. You should see entries like:
scim.user.provisioned— new user createdscim.user.linked— existing Scrydon user matched to an Okta identity by emailscim.group.created— new team provisioned from an Okta group push
Importing existing users
If you already have users in Okta that you want to link to existing Scrydon accounts, use Okta's Import feature:
- Go to the Import tab on the Scrydon application in Okta.
- Click Import Now. Okta fetches the user list from Scrydon via
GET /scim/v2/Users. - Review the matches. Okta auto-matches by email address.
- Confirm the assignments.
Okta then takes over management of those users — subsequent changes in Okta propagate to Scrydon via the standard provisioning sync.
Troubleshooting
Common error messages
| Error | Meaning | Fix |
|---|---|---|
401 Unauthorized | Token invalid or revoked | Regenerate the token in Scrydon and paste it into Okta |
400 mutability: email is immutable via SCIM | Tried to change a user's email via Okta | Deactivate and reactivate the user instead |
400 mutability: userName is immutable via SCIM | Tried to change userName via Okta | Same as above |
507 Insufficient Storage | Scale cap reached | Contact support |
409 uniqueness | Duplicate externalId, or two Okta identities mapping to the same Scrydon email | Okta usually handles this by converting POST to PUT automatically. If it persists, resolve the duplicate in Okta. |
429 Too Many Requests | Rate limit exceeded | Okta retries automatically |
Reactivating previously removed users
If you unassign a user from the Scrydon app in Okta and later re-assign them, Scrydon reactivates the same account — audit history, owned resources, and identity links are all preserved. No manual admin step on the Scrydon side.
Users without first or last name
Okta's default behavior is to block importing users who are missing
firstName or lastName. This is an Okta-side constraint, not a
Scrydon requirement — Scrydon itself accepts users with only userName
and emails. If you hit this issue, either populate the name fields in
Okta or relax Okta's import rules.
Group name collisions
If you push an Okta group whose display name matches an existing Scrydon
team, Scrydon creates a new team with a suffixed name, e.g.
Engineering (SCIM). This prevents accidental merging of unrelated
groups. If you want to link a pushed group to an existing Scrydon team,
rename one of them in the UI.
Unsupported operations
| Operation | Behavior |
|---|---|
| Changing a user's email via Okta | Rejected with 400 |
Changing a user's userName via Okta | Rejected with 400 |
| Renaming a pushed group | Okta PATCH accepted but Scrydon Team is not renamed |
| Deleting a pushed group | SCIM link removed, Scrydon Team preserved with history |
| Nested groups beyond 3 levels | Rejected with 400 invalidValue ("nested group depth exceeds 3") |
| Nested group cycles | Rejected with 400 invalidValue ("nested group would create a cycle") |
| Service principals / machine accounts | Not synced |
| Password push | Not supported — Scrydon uses SSO |