Setup Guide - Okta SCIM

What SCIM does

• Automatically provisions new users into LinearB
• Updates user attributes when they change in Okta
• Deactivates LinearB users when they are disabled in Okta
• Reduces manual administration and ensures identity accuracy

Before you begin

• Okta Admin permissions
• LinearB Admin permissions
• SCIM token generated from LinearB
• SCIM feature enabled by LinearB (if your plan includes it)

SCIM provisioning requires a LinearB-issued SCIM token and SCIM base URL.

1. Go to Settings → Authentication / SSO.
2. Locate the SCIM Provisioning section.
3. Copy the SCIM Base URL.
4. Generate a new SCIM Token (paste into Okta later).

Important: Store your SCIM token securely. Treat it as a password.

1. In Okta Admin Console, go to Applications → Applications.
2. Click Browse App Catalog.
3. Search for LinearB.
4. Select the app and click Add.
5. Choose the Assignment settings appropriate for your organization.
6. Click Done.

The app will now appear in your Okta applications list.

Open the LinearB application in Okta and configure provisioning:

1. Go to the Provisioning tab.
2. Click Configure API Integration.
3. Enable API Integration.
4. Enter the following:
   • SCIM Base URL → from LinearB
   • SCIM Token → from LinearB
5. Click Test API Credentials.
6. Once validated, click Save.

If the test fails: Confirm your token is valid and your SCIM URL matches exactly.

In the LinearB app inside Okta, under the To App section, configure:

• Create Users — Okta will automatically create users in LinearB.
• Update User Attributes — Okta will push profile updates.
• Deactivate Users — Okta will deactivate LinearB users when disabled in Okta.

Note: SCIM deactivation in Okta maps to “Deactivate” inside LinearB. LinearB will not delete users; it disables access.

The following fields are required for successful provisioning:

• email
• firstName
• lastName (required by Okta)

LinearB will fail provisioning if:

• The user is missing a last name
• The email address is blank or invalid
• A required field is unmapped

Tip: Ensure your Okta user profiles include both first and last names.

1. Open the Assignments tab in the LinearB Okta application.
2. Click Assign.
3. Select:
   • Assign to People — for specific users, or
   • Assign to Groups — for automated group-based provisioning
4. Click Done.

Okta will immediately attempt to provision assigned users in LinearB.

After assigning a test user:

1. Check the Provisioning → Push Status in Okta.
2. Ensure the user appears in LinearB → Settings → Users & Teams.
3. Update a profile field (e.g., last name) in Okta to confirm updates sync.
4. Deactivate the user in Okta and verify they deactivate inside LinearB.

Expected behavior: User creation, updates, and deactivation flow automatically from Okta → LinearB.

Common issues

• Provisioning fails for missing last name
  Okta requires lastName. Add a value and retry.
• “403 Forbidden” during API test
  The SCIM token is incorrect or expired. Generate a new one in LinearB.
• No users are syncing
  Confirm the LinearB app in Okta has assigned users or groups.
• Attributes aren’t updating
  Ensure “Update User Attributes” is enabled under To App.

Still need help? Contact support:
linearb.zendesk.com

Does LinearB support SCIM with Azure AD?
Not currently. SCIM is available only for Okta.

Does SCIM assign roles automatically?
No — new users created through SCIM default to Viewer.

Does SCIM remove users?
SCIM deactivation disables the user in LinearB; it does not delete them.

Can SCIM add users to Teams?
Not currently — team assignment is managed inside LinearB.