Okta SCIM ClickUp Configuration Guide

  • Updated

For teams that rely on Okta for provisioning, Custom Roles fully integrate with Okta! Any role created in ClickUp can be added as an option within Okta, making it easy to integrate Custom Roles into existing workflows.

Okta support is exclusive to the Enterprise Plan. Learn more about our Plans here. For help with sales, please contact help@clickup.com.

How to configure your integration

Note: Before you're able to set up provisioning, you must have Okta SSO enabled for your Workspace. Please refer to this guide for instructions on how to set up Okta SSO.

1. Once SSO is enabled, you'll be presented with a SCIM Base URL and SCIM API Token

Screenshot of the Okta SCIM authentication page.

2. In the Okta Dashboard, navigate to the ClickUp application and click the Provisioning tab

3. Check the Enable provisioning features box

4. Click Configure API Integration

5. Check the Enable API integration box

6. Enter the SCIM Base URL and SCIM API Token you received in step 1

Screenshot of the Okta integration page where you enter the SCIM Base URL and SCIM API Token.

7. Click Test API Credentials; if successful, a verification message will appear

8. Click Save

9. Select To App in the left panel, then select the Provisioning Features you want to enable.

10. Assign people to the app (if needed) and finish the application setup.

11. When assigning users or groups, assign the ClickUp Role attribute (guest, member, or admin) Note: If this attribute is unset, it will default to a member user

What you can do

  1. Push New Users
    - New users created through Okta will also be created in the third party application

  2. Push Profile Updates
    - Updates made to the user's profile through Okta will be pushed to the third party application

  3. Push User Deactivation
    - Deactivating the user or disabling the user's access to the application through Okta will deactivate the user in the third party application.
    Note: For this application, deactivating a user means removing access to login, but maintaining the user's Chorus information as an inactive user

  4. Reactivate Users
    - User accounts can be reactivated in the application.

Troubleshooting & Tips

1. Once a user is created in ClickUp, it will not receive updates when the givenName, lastName, or email is changed in Okta. Only updates made to the ClickUp Role are sent from Okta to ClickUp. If a change must be made to the email or username, it must be done by the user under the ClickUp Settings page.

2. When users are deactivated in Okta, they will be removed from the associated ClickUp Workspace. Users will not be able to access anything in that Workspace, but their data will remain available as an ‘inactive user’.

3. To set a custom role for you users, you can map to either the customRoleName attribute, or the customRoleId attribute. If you do not have someone that can access the ClickUp Public API, create an attribute in the Okta profile that is an enumerated list of names that match the custom roles that you created in your ClickUp Workspace and make sure this maps to customRoleName during user provisioning. Please note that if the role name is changed in ClickUp, this mapping will break. If you can access the ClickUp Public API, use the customRoleId attribute to ensure that the custom role mapping will not break on name change. To find out the ID’s that correspond to the Custom Roles that you created, use this endpoint to find the list of roles available on your workspace.

Was this article helpful?