From f216ffd3d688920b999c35c861972fd16257d60c Mon Sep 17 00:00:00 2001 From: AvilaJulio Date: Tue, 3 Mar 2026 08:06:42 -0600 Subject: [PATCH] docs: Add SCIM provisioning documentation for Okta Convert the single Okta SSO page into a directory with separate SAML and SCIM guides, matching the Microsoft Entra ID documentation structure. --- .../product/administration/sso/okta/_meta.js | 4 + .../product/administration/sso/okta/index.mdx | 32 +++++ .../sso/{okta.mdx => okta/saml.mdx} | 2 +- .../product/administration/sso/okta/scim.mdx | 122 ++++++++++++++++++ docs/redirects.json | 5 + 5 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 docs/content/product/administration/sso/okta/_meta.js create mode 100644 docs/content/product/administration/sso/okta/index.mdx rename docs/content/product/administration/sso/{okta.mdx => okta/saml.mdx} (98%) create mode 100644 docs/content/product/administration/sso/okta/scim.mdx diff --git a/docs/content/product/administration/sso/okta/_meta.js b/docs/content/product/administration/sso/okta/_meta.js new file mode 100644 index 0000000000000..ec3126709ba6d --- /dev/null +++ b/docs/content/product/administration/sso/okta/_meta.js @@ -0,0 +1,4 @@ +export default { + "saml": "SAML", + "scim": "SCIM" +} diff --git a/docs/content/product/administration/sso/okta/index.mdx b/docs/content/product/administration/sso/okta/index.mdx new file mode 100644 index 0000000000000..bc6b76364d61a --- /dev/null +++ b/docs/content/product/administration/sso/okta/index.mdx @@ -0,0 +1,32 @@ +--- +asIndexPage: true +--- + +# Okta + +Cube Cloud supports authenticating users through [Okta][ext-okta], +which is useful when you want your users to access Cube Cloud using +single sign-on. + + + +Available on [Enterprise and above plans](https://cube.dev/pricing). + + + +## Setup guides + + + + + + +[ext-okta]: https://www.okta.com/ diff --git a/docs/content/product/administration/sso/okta.mdx b/docs/content/product/administration/sso/okta/saml.mdx similarity index 98% rename from docs/content/product/administration/sso/okta.mdx rename to docs/content/product/administration/sso/okta/saml.mdx index e992d4cbd7aae..e88e4121c2aed 100644 --- a/docs/content/product/administration/sso/okta.mdx +++ b/docs/content/product/administration/sso/okta/saml.mdx @@ -42,7 +42,7 @@ Okta][okta-docs-create-saml-app]. 2. Click Applications > Applications from the navigation on the left of the screen, then click Create App Integration, then - select SAML 2.0 and click Next. + select SAML 2.0 and click Next. diff --git a/docs/content/product/administration/sso/okta/scim.mdx b/docs/content/product/administration/sso/okta/scim.mdx new file mode 100644 index 0000000000000..e5b38d3cc0f92 --- /dev/null +++ b/docs/content/product/administration/sso/okta/scim.mdx @@ -0,0 +1,122 @@ +# SCIM provisioning with Okta + +With SCIM (System for Cross-domain Identity Management) enabled, you can +automate user provisioning in Cube Cloud and keep user groups synchronized +with Okta. + + + +Available on [Enterprise and above plans](https://cube.dev/pricing). + + + +## Prerequisites + +Before proceeding, ensure you have the following: + +- Okta SAML authentication already configured. If not, complete + the [SAML setup][ref-saml] first. +- Admin permissions in Cube Cloud. +- Admin permissions in Okta to manage application integrations. + +## Enable SCIM provisioning in Cube Cloud + +Before configuring SCIM in Okta, you need to enable SCIM +provisioning in Cube Cloud: + +1. In Cube, navigate to Admin → Settings. +2. In the SAML section, enable SCIM Provisioning. + +## Generate an API key in Cube Cloud + +To allow Okta to communicate with Cube Cloud via SCIM, you'll need to +create a dedicated API key: + +1. In Cube Cloud, navigate to Settings → API Keys. +2. Create a new API key. Give it a descriptive name such as **Okta SCIM**. +3. Copy the generated key and store it securely — you'll need it in the + next step. + +## Enable SCIM provisioning in Okta + +This section assumes you already have a Cube Cloud SAML app integration +in Okta. If you haven't created one yet, follow the +[SAML setup guide][ref-saml] first. + +1. In the Okta Admin Console, go to Applications → Applications + and open your Cube Cloud application. +2. On the General tab, click Edit in the + App Settings section. +3. Set the Provisioning field to **SCIM** and click + Save. + +## Configure SCIM connection in Okta + +1. Navigate to the Provisioning tab of your Cube Cloud application. +2. In the Settings → Integration section, click Edit. +3. Fill in the following fields: + - **SCIM connector base URL** — Your Cube Cloud deployment URL with + `/api/scim/v2` appended. For example: + `https://your-deployment.cubecloud.dev/api/scim/v2` + - **Unique identifier field for users** — `userName` + - **Supported provisioning actions** — Select **Push New Users**, + **Push Profile Updates**, and **Push Groups**. + - **Authentication Mode** — Select **HTTP Header**. +4. In the HTTP Header section, paste the API key you generated + earlier into the Authorization field. +5. Click Test Connector Configuration to verify that Okta can + reach Cube Cloud. Proceed once the test is successful. +6. Click Save. + +## Configure provisioning actions + +After saving the SCIM connection, configure which provisioning actions +are enabled for your application: + +1. On the Provisioning tab, go to Settings → To App. +2. Click Edit and enable the actions you want: + - **Create Users** — Automatically create users in Cube Cloud when + they are assigned in Okta. + - **Update User Attributes** — Synchronize profile changes from Okta + to Cube Cloud. + - **Deactivate Users** — Deactivate users in Cube Cloud when they are + unassigned or deactivated in Okta. +3. Click Save. + +## Assign users and groups + +For users and groups to be provisioned in Cube Cloud, you need to assign +them to your Cube Cloud application in Okta. This is also required for +group memberships to be correctly synchronized — pushing a group alone +does not assign its members to the application. + +1. In your Cube Cloud application, navigate to the Assignments tab. +2. Click Assign and choose Assign to Groups (or + Assign to People for individual users). +3. Select the groups or users you want to provision and click Assign, + then click Done. + + + +If users were assigned to the application before SCIM provisioning was enabled, +Okta will show the following message in the Assignments tab: +*"User was assigned this application before Provisioning was enabled and not +provisioned in the downstream application. Click Provision User."* + +To resolve this, click Provision User next to each affected user. +This will trigger SCIM provisioning for them without needing to remove and +re-add their assignment. + + + +## Push groups to Cube Cloud + +To synchronize groups from Okta to Cube Cloud, you need to select which +groups to push: + +1. In your Cube Cloud application, navigate to the Push Groups tab. +2. Click Push Groups and choose how to find your groups — you can + search by name or rule. +3. Select the groups you want to push to Cube Cloud and click Save. + +[ref-saml]: /product/administration/sso/okta/saml diff --git a/docs/redirects.json b/docs/redirects.json index 160313e99739d..3815f77e6f8d8 100644 --- a/docs/redirects.json +++ b/docs/redirects.json @@ -1,4 +1,9 @@ [ + { + "source": "/product/administration/sso/okta", + "destination": "/product/administration/sso/okta/saml", + "permanent": true + }, { "source": "/product/administration/workspace/saved-reports", "destination": "/product/administration/workspace",