Set up SCIM provisioning on Astro

This is feature is only available if you are on the Enterprise tier or above. See Astro Plans and Pricing.

Astro supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astro allows you to automatically provision and deprovision users and Teams based on templates for access and permissions. It also provides better observability through your identity provider for when users and Teams are created or modified across your organization. Specifically, you can utilize SCIM provisioning to complete the following Astro actions from your identity provider platform:

  • Create and remove users in your Organization.
  • Update user profile information.
  • Create and remove Astro Teams.
  • Add and remove Team members.
  • Retrieve user and Team information.

Some user management features on Astro behave differently after you set up SCIM provisioning. See Manage Teams for more information. Astro does not support group nesting for SCIM provisioning. Access levels assigned to parent groups do not automatically propagate to child groups, so each group must be individually assigned the required access levels.

Supported SSO identity providers

Astro supports SCIM provisioning with the following IdPs:

Supported Okta features

Okta’s Astro integration supports the following SCIM actions:

  • Create users
  • Update user attributes
  • Deactivate users
  • Group push

Prerequisites

Setup

Frequently asked questions

What if an Okta group is out of sync with an Astro Team?

  1. In the Okta dashboard, open the Astro application and click Push Groups.
  2. Click the value in Push Status for the group that’s out of sync, then click Push now.

What if an Okta user is out of sync with their Astro user account?

If you removed an Okta user but their Astro account remains, delete the account from Astro.

If an Astro user is not appearing for an Okta user as expected, remove and re-assign the user in Okta.