AdministrationUser access

Set up SCIM provisioning on Astro

This is feature is only available if you are on the Enterprise tier or above. See Astro Plans and Pricing.

Astro supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astro allows you to automatically provision and deprovision users and Teams based on templates for access and permissions. It also provides better observability through your identity provider for when users and Teams are created or modified across your organization. Specifically, you can utilize SCIM provisioning to complete the following Astro actions from your identity provider platform:

  • Create and remove users in your Organization.
  • Update user profile information.
  • Create and remove Astro Teams.
  • Add and remove Team members.
  • Retrieve user and Team information.

Some user management features on Astro behave differently after you set up SCIM provisioning. See Manage Teams for more information. Astro does not support group nesting for SCIM provisioning. Access levels assigned to parent groups do not automatically propagate to child groups, so each group must be individually assigned the required access levels.

Supported SSO identity providers

Astro supports SCIM provisioning with the following IdPs:

Supported Okta features

Okta’s Astro integration supports the following SCIM actions:

  • Create users
  • Update user attributes
  • Deactivate users
  • Group push

Prerequisites

Setup

  1. Create an Organization API token with Organization Owner permissions. See Organization API tokens. Copy the token to use later in this setup.

  2. In the Astro UI, click Organization Settings.

  3. On the General page, copy your Organization ID to use later in this setup.

  4. Go to Settings > Authentication. In the Advanced Settings menu, click Edit Settings, then click the SCIM integration toggle to on.

  5. In the Okta admin dashboard, open your Astro app integration and click Provisioning.

  6. Click Configure API integration, check Enable API integration, then configure the following values:

    • Organization ID: Enter your Organization ID.
    • API token: Enter your Organization API token.

  7. Test your API credentials, then click Save.

  8. In the Provisioning menu, click To App and configure the following:

    • Provisioning to App: Select only Create Users, Update User Attributes, and Deactivate Users.

    See Okta documentation for more information on configuring these values.

  9. Create user groups and push them to Astro. User groups pushed to Astro appear as Teams in the Astro UI. See Okta documentation for setup steps.

Frequently asked questions

What if an Okta group is out of sync with an Astro Team?

  1. In the Okta dashboard, open the Astro application and click Push Groups.
  2. Click the value in Push Status for the group that’s out of sync, then click Push now.

What if an Okta user is out of sync with their Astro user account?

If you removed an Okta user but their Astro account remains, delete the account from Astro.

If an Astro user is not appearing for an Okta user as expected, remove and re-assign the user in Okta.