***

title: Set up Okta provisioning
description: >-
Learn how to configure SCIM provisioning for Unleash using Okta to
automatically manage user accounts and access.
keywords:

* SCIM
* Okta
* provisioning
* SSO
* user management
  'og:site\_name': Unleash Documentation
  'og:title': Set up Okta provisioning | Unleash
  max-toc-depth: 2
  slug: provisioning/how-to-setup-provisioning-with-okta

***

<Button small outlined href="/support/availability">
  v6.1
</Button>

<Button small href="https://www.getunleash.io/plans">
  Enterprise
</Button>

## Unleash Configuration

<Info>
  Before you begin, ensure that you have a strategy in place to prevent [being locked out of all admin accounts](/support/troubleshooting#got-locked-out-of-an-admin-account-after-configuring-scim).
</Info>

### Step 1: Navigate to Provisioning configuration

First you'll need to log in to Unleash as an admin user. Navigate to the Single Sign-On section and select the "SCIM" tab. The SCIM API URL will be shown in this section, you'll need this to configure Okta later.

<Frame background="subtle">
  ![Navigate to the SCIM Config](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/350dbf92c4e4a1649a6202d22fd34f57d7978a8caa55268cdaf134b1074fad66/assets/scim-config-1.png)
</Frame>

### Step 2: Enable Provisioning

Enable SCIM by turning on the toggle and keep the token Unleash provides you for the Okta setup below.

<Frame background="subtle">
  ![Enable the SCIM toggle](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/822b2545b78eba3ebb85ae994508b427e0523a8f1f0576e8770d2aa2f45c912b/assets/scim-config-2.png)
</Frame>

## Okta Configuration

### Step 1: Create an Application in Okta

<Info>
  If you already have SAML SSO configured for Unleash in Okta you can skip to the [next step](how-to-setup-provisioning-with-okta#step-2-enable-provisioning-in-your-okta-application). If you're planning on using [SAML for Unleash](/single-sign-on/how-to-add-sso-saml), do that first and skip to the next step. Note that if you're using OIDC SSO in Okta you still need to do this step.

  This step will create an empty Sign-On Application that will only be used for SCIM.
</Info>

**1) Navigate to "Admin -> Applications" and click the "Create App Integration" button.**

<Frame background="subtle">
  ![Navigate to Create Application](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/9d29b3c3c2178648656f79d3e93191d3d169736a12a8a965c50e4bb1788aa99c/assets/scim-okta-config-1.png)
</Frame>

**2) Select SWA - Secure Web Authentication**

<Frame background="subtle">
  ![Select Secure Web Application](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/d5fa2fe15f6741e2bea468ca98eef8bd0f70834d9c7dd771c8da6b05202ee5bc/assets/scim-okta-config-2.png)
</Frame>

**3) Fill in your App Name and App's login page URL**

<Frame background="subtle">
  ![Setup Application Properties](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/f5692c2b84465ec1f697551666c9e3b5c55a2589f3bf6096abfa0b7792d8a01b/assets/scim-okta-config-3.png)
</Frame>

### Step 2: Enable Provisioning in your Okta Application

<Info>
  If you already have a SAML application setup for Unleash you'll be modifying that application in this step.
</Info>

**Enable SCIM provisioning and save.**

<Frame background="subtle">
  ![Enable SCIM](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/c9d9d0d7e4a845a323b364046b47962aaa12eeca4347c1c0d1f732619c3d81f3/assets/scim-okta-config-5.png)
</Frame>

### Step 3: Connect Unleash

**1) Navigate to the Provisioning tab**

**2) Set the Unleash SCIM URL**

This is provided by the Unleash UI in the [configuring Unleash](how-to-setup-provisioning-with-okta#step-1-navigate-to-provisioning-configuration) section.

**2) Set email as the unique identifier**

**3) Configure actions**

Turn on "Push New Users", "Push Groups" and "Push Profile Updates".

**4) Set authentication mode to "HTTP Header"**

**5) Add your SCIM token**

This was provided by the Unleash UI in the [configuring Unleash](how-to-setup-provisioning-with-okta#step-2-enable-provisioning) section.

<Frame background="subtle">
  ![Connect Unleash](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/c9d9d0d7e4a845a323b364046b47962aaa12eeca4347c1c0d1f732619c3d81f3/assets/scim-okta-config-5.png)
</Frame>

### Step 4: Configure Okta Provisioning

Navigate to the "To App" tab. Turn on "Create Users", "Update User Attributes" and "Deactivate Users". Save your configuration.

<Frame background="subtle">
  ![Configure Okta Provisioning](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/b79d37490d62296f63a0e4f3f1b5f47239cfe0138498569a801bb0aedbea42e3/assets/scim-okta-config-6.png)
</Frame>

### Step 5: Configure Provisioning Properties

**1) Set email**

Set the email field to map to your login property. This is important and ensures that your SSO integration continues to work.

**2) Remove unneeded properties**

You should remove all unnecessary properties. This ensures that Okta will reach a steady state when synchronizing. The properties that you must retain are:

* Username
* Given name
* Family name
* Email
* Primary email type
* Display name

<Frame background="subtle">
  ![Configure Provisioning Attributes](https://files.buildwithfern.com/unleash.docs.buildwithfern.com/f8d70ac43f1dbed8ddde0e7f1d390bac85bc1fcab1130843dfeed235a1462abc/assets/scim-okta-config-7.png)
</Frame>