Search

Okta SCIM ClickUp configuration guide

Workspaces that rely on Okta for provisioning can use custom roles to fully integrate with Okta. Any role created in ClickUp can be added as an option within Okta, making it easy to integrate custom roles into existing workflows.

What you'll need

  • Before you can set up provisioning, you need to have Okta SSO enabled for your Workspace.
  • Only Okta admins can configure Okta SCIM.

Configure Okta SCIM and provision admins, members, and guests

The ClickUp app in Okta is preset for provisioning admins, members, and guests. To provision limited members, scroll to the next section. 

To configure Okta SCIM:

  1. After Okta SSO is enabled, you'll see a SCIM Base URL and SCIM API Token.

    If your Identity Provider (IdP) supports SCIM but you're not using Okta, you will still need the Audience URI (SP Entity ID) and Single sign on URL (ACS URL) presented after successfully integrating SSO. If SCIM isn't supported for your IdP's official ClickUp SSO integration, Custom SAML must be used instead.

    Screenshot of the Okta SCIM configuration screen in ClickUp.

  2. In your Okta Dashboard's left sidebar, click Applications, then select Applications.
  3. Select the ClickUp application and click the Provisioning tab.
  4. Check the Enable provisioning features checkbox.
  5. Click Configure API Integration.
  6. Check the Enable API integration box.
  7. Copy and paste your SCIM Base URL and SCIM API Token from step 1.
    Screenshot of someone pasting their Base URL and API token.
  8. Click Test API Credentials. If successful, a verification message appears.
  9. Click Save.
  10. In the left panel, select To App.
  11. Choose the Provisioning Features you want to enable.
  12. Assign people to the app and finish the application setup.
  13. When assigning users or groups, assign the ClickUp Role attribute. If this attribute is unset, everyone will default to the member role.

Provision limited members

To provision the limited member user role, an Okta admin needs to make a few updates. 

To provision the limited member user role:

  1. In your Okta Dashboard, navigate to the Directory and choose Profile Editor.
    Screenshot of the Directory, with Profile Editor selected.
  2. Click the Profile for ClickUp. 
  3. You're directed to the Attributes page. 
  4. In the ClickUp Role row to the far-right, click the pencil icon. 
    Screenshot of the Attributes page with the ClickUp Role row and the pencil icon highlighted.
  5. On the Attribute members page in the Display name section, click Add Another.
  6. In the Display name text box, type Limited Member.
  7. To the right of the Display name in the Value column, type 100.
    Screenshot of Limited Member typed into the Display name text box with a value of 100.
  8. In the lower-right corner, click Save Attribute.
  9. The limited member user role is now an option when provisioning users in ClickUp. 

Actions you can take using Okta SCIM

You can take the following actions using Okta SCIM:

Action Description
Push New Users

New users created through Okta are also created in the third-party application.
Push New Group
 

New groups created through Okta are also created as Teams within ClickUp. When a team is created via Okta, SCIM Provisioned displays in the source column on the Teams page. Teams created manually have Manual displayed in the Source column.

Ensure you enable import groups under the Provisioning tab to use SCIM with groups. 
Push Profile Updates Updates to the user's profile through Okta are also made in the third-party application.
Push User Deactivation

Deactivating or disabling the user's access to the application through Okta also deactivates the user in the third-party application. When users are deactivated in Okta, they are removed from the associated ClickUp Workspace. Users will not be able to access anything in that Workspace, but their data will remain available as an "inactive user." We do not return any user data for deactivated users in SCIM responses, other than their deactivated status.

For this application, deactivating a user means removing access to log in, but maintaining the user's Chorus information as an inactive user.
Reactivate Users User accounts can be reactivated in the application.

Change or update an email address

When new users are created with the Push New Users action, Okta creates a username and email, but no password. If a user gets locked out due to SSO becoming unlinked, an owner or admin must take the following steps:

  1. If you require the use of SSO for this user, make SSO authentication temporarily optional. 
  2. Change the email in Okta, then change the email in ClickUp. 
  3. If you've made SSO authentication optional, require it again.

  4. Ensure the user can log in to ClickUp via SSO.

    Email may be used as the nameID value in Okta. If you change the nameID value, you'll need to relink your SSO account after the email has been changed in Okta and ClickUp.