Skip to main content

Automatic User Provisioning with Okta

OpsHelm supports automatic provisioning and management of users with SCIM. If you have configured Okta as your identity provider, and you would like to manage users with SCIM, follow the steps below to enable this integration for your account.

Supported Features

Currently, OpsHelm's SCIM integration supports the following provisioning features:

  • User Creation through Okta
  • Updating user attributes through Okta
  • Deactivating users through Okta
  • Import users from OpsHelm to Okta

OpsHelm does not currently support Group Push from Okta. Support for mapping Okta groups to OpsHelm roles will be added in the future. For now, users will be provisioned with non-owner access. A user's OpsHelm role can be updated by an owner the dashboard.


  • To enable automatic provisioning with SCIM, you must first configure Okta as your identity provider.
  • You must specify Email as the Application username format, and a user's Primary email address must match their application username.


  1. Contact to obtain a SCIM API Key. In the future, it will be possible to obtain this from the dashboard.
  2. Sign in to the Okta admin portal
  3. Go to Applications, and select your OpsHelm integration.
  4. Go to Provisioning > Integration and click Configure API Integration.
  5. Click Enable API Integration, then paste in your API key.
  6. Uncheck the Import Groups checkbox, if displayed.
  7. Click Test API Credentials and, if successful, click Save.

Enable Provisioning

  1. In the application settings, go to the Sign On tab. Under Credential Details and select Email for the Application username format
    Okta Application Username Format Screenshot
  2. Next, go to the Provisioning tab. Under Settings > To App, enable Create Users, Update User Attributes, and Deactivate Users, then click Save.
    Okta Provisioning Settings Screenshot


As mentioned above, OpsHelm does not curretnly support syncing groups or permissions with SCIM. As a result, it's possible for all owners of an account to be removed. This can be avoided by elevating another user to Owner before removing the last remaining owner. If you have unintentionally removed all owners from your account, please contact