Okta SCIM ClickUp configuration guide

Workspaces that rely on Okta for provisioning can use custom roles to fully integrate with Okta. Any role created in ClickUp can be added as an option within Okta, making it easy to integrate custom roles into existing workflows.

What you'll need

  • Before you can set up provisioning, you need to have Okta SSO enabled for your Workspace.
  • Only Okta admins can configure Okta SCIM.

Configure Okta SCIM and set up provision admins, members, and guests

The ClickUp app in Okta is preset for provisioning admins, members, and guests. To provision limited members, scroll to the next section. 

To configure Okta SCIM:

  1. After Okta SSO is enabled, you'll see a SCIM Base URL and SCIM API Token.

    If your Identity Provider (IdP) supports SCIM but you're not using Okta, you will still need the Audience URI (SP Entity ID) and Single sign on URL (ACS URL) presented after successfully integrating SSO. If SCIM isn't supported for your IdP's official ClickUp SSO integration, Custom SAML must be used instead.

    Screenshot of the Okta SCIM configuration screen in ClickUp.
  2. In your Okta Dashboard's left sidebar, click Applications then select Applications.
  3. Select the ClickUp application and click the Provisioning tab.
  4. Check the Enable provisioning features checkbox.
  5. Click Configure API Integration.
  6. Check the Enable API integration box.
  7. Copy and paste your SCIM Base URL and SCIM API Token from step 1.
    Screenshot of someone pasting their Base URL and API token.
  8. Click Test API Credentials. If successful, a verification message appears.
  9. Click Save.
  10. In the left panel, select To App.
  11. Choose the Provisioning Features you want to enable.
  12. Assign people to the app and finish the application setup.
  13. When assigning users or groups, assign the ClickUp Role attribute. If this attribute is unset, everyone will default to the member role.

Provision limited members

To provision the limited member user role, an Okta admin needs to make a few updates. 

To provision the limited member user role:

  1. In your Okta Dashboard, navigate to the Directory and choose Profile Editor.
    Screenshot of the Directory, with Profile Editor selected.
  2. Click the Profile for ClickUp. 
  3. You're directed to the Attributes page. 
  4. In the ClickUp Role row to the far-right, click the pencil icon. 
    Screenshot of the Attributes page with the ClickUp Role row and the pencil icon highlighted.
  5. On the Attribute members page in the Display name section, click Add Another.
  6. In the Display name text box, type Limited Member.
  7. To the right of the Display name in the Value column, type 100.
    Screenshot of Limited Member typed into the Display name text box with a value of 100.
  8. In the lower-right corner, click Save Attribute.
  9. The limited member user role is now an option when provisioning users in ClickUp. 

Actions you can take using Okta SCIM

You can take the following actions using Okta SCIM:

Action Description
Push New Users

New users created through Okta are also created in the third-party application.

Okta creates a username and email, but no password. If a user gets locked out due to SSO becoming unlinked, an owner or admin must change the SSO policy to optional so the user can reset their password.

Push New Group

New groups created through Okta are also created as Teams within ClickUp.

Push Profile Updates Updates to the user's profile through Okta are also made in the third-party application.
Push User Deactivation

Deactivating or disabling the user's access to the application through Okta also deactivates the user in the third-party application. When users are deactivated in Okta, they are removed from the associated ClickUp Workspace. Users will not be able to access anything in that Workspace, but their data will remain available as an "inactive user."

For this application, deactivating a user means removing access to log in, but maintaining the user's Chorus information as an inactive user.

Reactivate Users User accounts can be reactivated in the application.

Custom role attributes

To set a custom role for your users, you can map to either the customRoleName attribute or the customRoleId attribute. If you do not have someone who can access the public ClickUp API, create an attribute in the Okta profile that is an enumerated list of names that match the custom roles you created in your ClickUp Workspace. Make sure this maps to customRoleName during user provisioning.

If the custom role name is changed in ClickUp, this mapping will break. If you can access the ClickUp Public API, use the customRoleId attribute to ensure that the custom role mapping does not break when custom role names are changed in ClickUp. 

The following custom role attributes are available:

Model Custom role attributes
Base
  • id
  • userName
  • Name: {givenName and familyName}
  • active
  • emails
  • Array of emails with value property and primary (boolean) property
  • title
  • urn:ietf:params:scim:schemas:core:2.0:User

Extension
  • role
  • clickupRole
  • customRoleId
  • customRoleName
  • urn:ietf:params:scim:schemas:extension:ClickUp:2.0:User
Enterprise
  • manager
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
  • Once a user is created in ClickUp, they won't receive updates when the givenName, lastName, or email is changed in Okta. Only updates made to the ClickUp Role are sent from Okta to ClickUp. If a change must be made to the email or username, it must be done by the user in their ClickUp settings.
  • If your name in ClickUp displays as your email address, you can update it on your personal settings page.

Was this article helpful?