Teams that rely on Okta for provisioning can use Custom Roles fully integrate with Okta. Any role created in ClickUp can be added as an option within Okta, making it easy to integrate Custom Roles into existing workflows.
What you'll need
- Before you can set up provisioning, you need to have Okta SSO enabled for your Workspace.
- Okta SSO is only available to Workspaces on the Enterprise Plan.
- Only Workspace owners and admins can enable Okta SSO.
- Only Okta admins can configure Okta SCIM.
Configure Okta SCIM
To configure Okta SCIM:
- After Okta SSO is enabled, you'll see a SCIM Base URL and SCIM API Token.
- In your Okta Dashboard, navigate to the ClickUp application and click the Provisioning tab.
- Check the Enable provisioning features checkbox.
- Click Configure API Integration.
- Check the Enable API integration box.
- Copy and paste your SCIM Base URL and SCIM API Token from step 1.
- Click Test API Credentials. If successful, a verification message appears.
- Click Save.
- In the left panel, select To App.
- Choose the Provisioning Features you want to enable.
- Assign people to the app and finish the application setup.
- When assigning users or groups, assign the ClickUp Role attribute. If this attribute is unset, everyone will default to the member role.
What you can do
You can take the following actions using Okta SCIM:
|Push New Users||
New users created through Okta are also created in the third-party application.
Okta creates a username and email, but no password. If a user gets locked out due to SSO becoming unlinked, an owner or admin must change the SSO policy to optional so the user can reset their password.
|Push Profile Updates||Updates to the user's profile through Okta are also made in the third-party application.|
|Push User Deactivation||
Deactivating or disabling the user's access to the application through Okta also deactivates the user in the third-party application. When users are deactivated in Okta, they are removed from the associated ClickUp Workspace. Users will not be able to access anything in that Workspace, but their data will remain available as an "inactive user."
For this application, deactivating a user means removing access to log in, but maintaining the user's Chorus information as an inactive user.
|Reactivate Users||User accounts can be reactivated in the application.|
Below are some helpful tips when configuring Okta SCIM:
- Once a user is created in ClickUp, they won't receive updates when the givenName, lastName, or email is changed in Okta. Only updates made to the ClickUp Role are sent from Okta to ClickUp. If a change must be made to the email or username, it must be done by the user in their ClickUp settings.
- To set a Custom Role for your users, you can map to either the customRoleName attribute or the customRoleId attribute. If you do not have someone who can access the public ClickUp API, create an attribute in the Okta profile that is an enumerated list of names that match the Custom Roles you created in your ClickUp Workspace. Make sure this maps to customRoleName during user provisioning.
If the Custom Role name is changed in ClickUp, this mapping will break. If you can access the ClickUp Public API, use the customRoleId attribute to ensure that the Custom Role mapping does not break when Custom Role names are changed in ClickUp. To find out the IDs that correspond to the Custom Roles that you created, use this endpoint to find the list of roles available in your Workspace.