Okta Integration

Prerequisites

Requirement	Details
Okta tenant	Super Admin role
Okta plan	Okta Workforce Identity (SCIM requires at least Okta One App or Lifecycle Management)
StackFlow role	`super_admin`

Step 1: Create an Okta API Token

Log into Okta Admin Console and go to Security → API → Tokens → Create Token
Name it StackFlow Integration
Copy the token value — it is shown only once
Note your Okta domain (e.g., your-org.okta.com)

Step 2: Configure SCIM Provisioning

In Okta, go to Applications → Browse App Catalog, search for StackFlow and add the app
If StackFlow is not in the catalog, create a custom SCIM app:

SCIM Connector Base URL: https://your-instance.stackflow-tech.com/prod/api/scim/v2
Unique identifier field: userName (email)
Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups, Deactivate Users
Authentication Mode: HTTP Header (Authorization: Bearer <stackflow-scim-token>)

In Provisioning → To App, enable: Create Users, Update User Attributes, Deactivate Users

SCIM Token: Generate the StackFlow SCIM bearer token in Admin → Integration Hub → Okta → SCIM Token. This is a separate long-lived token used only for SCIM provisioning, stored in Secrets Manager.

Step 3: Set Up Group Sync

In Okta, go to the StackFlow app → Push Groups
Add the Okta groups that correspond to StackFlow roles:

Okta Group	StackFlow Role
`StackFlow-Admins`	`super_admin`
`StackFlow-ITSM-Managers`	`itsm_manager`
`StackFlow-Agents`	`itsm_agent`
`StackFlow-Viewers`	`viewer`

Step 4: SSO Bridge Configuration

StackFlow's SSO bridge allows Okta-authenticated users to receive a Cognito JWT without re-entering credentials. The bridge exchanges the Okta OIDC token for a Cognito token:

In Okta, create an OIDC app with grant type authorization_code
Set the redirect URI to: https://your-instance.stackflow-tech.com/auth/okta/callback
Note the Client ID, Client Secret, and Okta domain
StackFlow exchanges the Okta token for a Cognito token via the OBO bridge endpoint

Step 5: Connect in StackFlow

Navigate to Admin → Integration Hub → Okta → Configure
Enter Okta domain, API token, OIDC client ID and secret
Configure group-to-role mapping
Enable SCIM provisioning toggle
Click Save & Test

Field Reference

Field	Required	Description
Okta Domain	Yes	e.g., `your-org.okta.com`
API Token	Yes	Okta API token for user/group management
OIDC Client ID	SSO only	OIDC app client ID for SSO bridge
OIDC Client Secret	SSO only	OIDC app client secret
SCIM Enabled	No	Enable SCIM 2.0 provisioning (default: false)
Group Sync	No	Sync Okta groups to StackFlow roles (default: true when SCIM enabled)
Deactivate on Offboard	No	Deactivate StackFlow user when Okta user is deprovisioned (default: true)

Testing the Integration

In Okta, assign a test user to the StackFlow app and verify the user is created in StackFlow via SCIM
Update the user's group in Okta and verify the StackFlow role changes
Log into StackFlow using Okta SSO and verify the role claims are correct
Unassign the user from the Okta app and verify the StackFlow account is deactivated

Troubleshooting

Issue	Cause	Fix
SCIM user not created	SCIM token invalid	Regenerate SCIM token in Admin → Integration Hub → Okta
Role not assigned correctly	Group mapping missing	Add Okta group to Push Groups and configure role mapping
SSO redirect fails	Redirect URI mismatch	Ensure Okta OIDC app redirect URI exactly matches StackFlow callback URL
Users not deactivated on offboard	Deactivation not enabled	Enable `Deactivate Users` under Okta App → Provisioning → To App

← Previous

ServiceNow

Bi-directional ITSM sync

AWS Cloud

CloudWatch, CMDB sync