Okta SSO and SCIM

Configure Okta OIDC SSO and SCIM provisioning for observity.ai.

Use this guide when Okta is your identity provider for observity.ai authentication and provisioning.

OIDC Application

In Okta, create an OIDC - Web Application integration.
Add the observity.ai Redirect URI from Settings > Single Sign-On (SSO) as a sign-in redirect URI before copying the Okta client credentials.
Assign the users or groups that should access observity.ai.
Copy the Okta issuer URL, client ID, and client secret into observity.ai.
Save the observity.ai SSO configuration.

Use these OIDC scopes:

openid email profile

In Okta, enable provisioning for the observity.ai application and configure:

Okta Field	observity.ai Value
SCIM connector base URL	observity.ai SCIM Base URL
Unique identifier field for users	`userName`
Supported provisioning actions	Create users, update user attributes, deactivate users, push groups
Authentication mode	HTTP Header
Authorization header	`Bearer {observity.ai SCIM token}`

Map these Okta user fields to SCIM attributes:

Okta Profile	SCIM Attribute
`user.email`	`userName`
`user.email`	`emails[primary eq true].value`
`user.firstName`	`name.givenName`
`user.lastName`	`name.familyName`
`user.displayName`	`displayName`
Okta user ID or stable employee ID	`externalId`

Use a stable, non-recycled identifier for externalId. Email is acceptable only if your organization does not recycle email addresses.

Use Okta group push for observity.ai roles:

Recommended group pattern:

After users and groups have synced, enable Require SCIM provisioning for SSO access in observity.ai.