You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Add push groups step and remove steps to migrate to the app
* Add a link to Okta docs
Co-authored-by: Sarah Sanders <[email protected]>
---------
Co-authored-by: Sarah Sanders <[email protected]>
Copy file name to clipboardExpand all lines: contents/docs/settings/sso.mdx
+15-16Lines changed: 15 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -380,34 +380,33 @@ Before setting up SCIM, you need:
380
380
381
381
### Example: Okta
382
382
383
-
If your existing SAML app supports SCIM 2.0 provisioning, you can use it. Otherwise, follow these steps to create a new app that supports both SAML and SCIM:
383
+
If you already have a custom SAML app configured for PostHog, you can enable SCIM provisioning directly on it. If not, first set up SAML following the [Okta SAML example](#example-okta), then continue with these steps:
384
384
385
-
1. In Okta admin, go to Applications and click **Create App Integration**.
386
-
387
-
2. Search for `SCIM 2.0 Test App (Auth Bearer Token)` and select it.
388
-
389
-
3. Leave **SAML sign-on** method enabled. Configure SAML following the steps in the [Okta SAML example](#example-okta).
385
+
1. In Okta admin, go to **Applications** and open your PostHog app.
390
386
391
-
4. In PostHog, open your existing SAML configuration for the domain and update it with the new values from Okta (SAML ACS URL, SAML Entity ID, and SAML X.509 certificate).
387
+
2. Navigate to the **Provisioning** tab and click **Configure API Integration**.
392
388
393
-
5. Navigate to the **Provisioning** tab in Okta and click **Configure API Integration**.
394
-
395
-
6. Check **Enable API integration** and enter:
389
+
3. Check **Enable API integration** and enter:
396
390
-**SCIM Base URL** from PostHog
397
391
-**API Token** (the SCIM Token from PostHog)
398
392
399
-
7. Click **Test API Credentials** to verify the connection.
393
+
4. Click **Test API Credentials** to verify the connection.
400
394
401
-
8. In the **Provisioning to App** settings, enable:
395
+
5. In the **Provisioning to App** settings, enable:
402
396
- Create Users
403
397
- Update User Attributes
404
398
- Deactivate Users
405
399
406
-
9. Go to the **Assignments** tab and configure role mapping.
407
-
408
-
10. Assign users to the PostHog application. Their email, name, and groups will be automatically updated in PostHog.
400
+
6. Go to the **Assignments** tab and assign the application to users and groups.
401
+
- Click **Assign to People** and select the users you want to provision into PostHog.
402
+
- Click **Assign to Groups**and select the Okta groups to provision.
409
403
410
-
11. Once everything is working, you can remove or deactivate your old SAML-only application.
404
+
7. Go to the **Push Groups** tab.
405
+
- To push specific groups, select **Find groups by name**, then choose **Create Group** (creates a new role in PostHog) or **Link Group** (links it to an existing PostHog role). When you link the group to an existing role in PostHog, the role name will be updated to match Okta.
406
+
- If you have lots of groups, you can choose **Find groups by rule**. This way, all groups matching the rule are pushed to PostHog.
407
+
- Verify the pushed groups show as **Active**.
408
+
409
+
For detailed Okta instructions, see [Okta's SCIM provisioning documentation](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm).
0 commit comments