This documentation covers step-by-step how to configure Okta to enable SCIM provisioning in Shortcut.
- Push New Users - Users created in Okta that are assigned the Shortcut application will be created in your Shortcut Workspace
- Push Profile Updates - Updates made to the user's profile through Okta will be pushed to Shortcut
- Push User Deactivation - Deactivating, or disabling the user's access to Shortcut via Okta will disable the user in Shortcut
In order to enable SCIM provisioning with Shortcut, you will need to meet the following requirements:
- SCIM provisioning is only available to Shortcut customers on Enterprise plans (Included) and Business plans (Add-On). To learn more about Shortcut's plans and their respective entitlements, please see our Shortcut Pricing and Plans comparison table.
- You must have access to a Shortcut account with Owner or Admin privileges.
- You must have added both the Shortcut and Shortcut SCIM apps to Okta and have SSO or SAML enabled on your Shortcut organization. For more information on configuring SAML 2.0 for Shortcut, please visit our Okta documentation.
- You must set your workspace to invitation only. This setting can be found under Settings > Invite New User > Settings
- You must have requested that SCIM be enabled on your account by contacting email@example.com, and have received your Shortcut Workspace ID and API Token.
Step-by-Step Configuration Instructions
Shortcut SCIM Configuration (SCIM)
- From your Okta Admin console click Applications
- Select Browse App Catalog and search for Shortcut SCIM
- Click on Shortcut SCIM and then Add Integration
- On the General Settings tab of the Add Shortcut SCIM window, be sure to check the boxes next to both of the following options:
- Do not display application icon to users
- Do not display application icon in the Okta Mobile App
Note: The Shortcut SCIM application is specific to a Workspace in your Shortcut Organization. It is only meant to provision/deprovision users. Logging into your Shortcut Organization should be done instead via the Shortcut SAML application. To learn more about Shortcut Organizations and Workspaces, please see our documentation on managing organizations, and managing workspaces.
- Once you have added Shortcut SCIM to your Okta tenant, navigate to your Provisioning settings for Shortcut SCIM and click the Configure API Integration button.
- Check the Enable API Integration box.
- In the Organization ID text field, enter the Organization ID you received from support.
- In the API Token text field, enter the SCIM token you received from support.
- With both Organization ID and API Token filled out, click Test API Credentials. If the credentials are successfully verified, click Save.
- In the Provisioning settings for Shortcut SCIM, navigate to the To App section and click Edit. Select the provisioning features you want to enable and click Save.
Note: The role attribute is required and will ensure that a given user is assigned the appropriate Shortcut Role (Admin, Member, Observer) for your Shortcut Workspace. This attribute can be assigned to individual Okta users, or Okta groups based on app assignment preferences for the Shortcut SCIM application. For more information on Shortcut User Roles, please see our documentation.
Shortcut Configuration (SAML)
To ensure continued SAML functionality after configuring SCIM, configure your Sign On settings tab for the Shortcut Okta SAML Application as follows:
- Set the Application username format dropdown menu equal to Email and click Save.
Supported SCIM Attributes
Shortcut currently supports the following attributes mapping:
|SCIM Attribute Name
|(Required) User's email address
|(Required) User's email address
|(Required) User's name in Shortcut
|(Required) User's Shortcut Role, currently supports options for Admin, Member, and Observer
The Owner role is not currently supported
Note: For all above attributes, the schema namespace used is urn:ietf:params:scim:schemas:core:2.0:User
Ability to define a custom userName field for the Shortcut SCIM app
- The userName field by default is locked to to the Okta user's email address. This field is typically configurable via the Sign On tab for Okta apps that use SAML; however, Shortcut has separate apps for SCIM (provisioning users into Shortcut) and for SAML (the app that should be displayed to end users in Okta) and thus the Sign On tab will not be visible.
- Okta has ability to unlock the userName field on a per-tenant basis. Please file a support ticket via https://support.okta.com/help/s/?language=en_US asking support to disable the Feature Flag CONSOLIDATE_USERNAME_EL.
- When the Feature Flag is disabled, you will be able to enter another attribute or expression to map for the userName variable like the screenshot below: