Prerequisites
This guide outlines how to synchronize your application's user and group directories using SCIM v2.0. To synchronize an organization's users and groups provisioned for your application, you'll need to provide the Okta with two pieces of information:
- A SCIM URL that the SCIM server will make requests to.
- An Access Token to authenticate its endpoint requests.
Both of these are available in your SCIM Settings in the Kudoboard Integrations page.
⚠️ Please note: Before gaining access to the SCIM integration, you must be upgraded to an Enterprise plan.
Set up SCIM in Kudoboard
Login to your Kudoboard Enterprise account and select the settings cog in the top right corner and go to "Admin panel". In the navigation menu on the left side, go to "Integrations" and find the "SCIM" panel, then click on "Connect SCIM". If you don't see the option to "Connect SCIM", please contact support via scim@kudoboard.com.
Once connected, a modal will display with your SCIM URL and Access Token.
⚠️ Please note: We won't display your Access Token again after this point so please store it securely.
With the SCIM integration set up in Kudoboard, it's time to switch over to your Okta environment.
Create an Okta app
Login to your Okta Admin account and go to Applications and click "Create an application".
A modal screen will popup with an option to create a "SAML 2.0" app. SAML is an authentication mechanism used to simplify the login process between your Okta directory and Kudoboard. Both SAML and SCIM are provided as part of your Enterprise plan.
Click on the "SAML 2.0" radio option and click "Next". Give your app a name of "Kudoboard", you can upload our logo if you wish but that's optional.
Finally, you may set the "App visibility" to "Do not display application icon to users". You'll want to display the icon to enable quick authentication to Kudoboard.
Download the Kudoboard SVG App Icon:
We can then set up your SAML SSO settings.
Go to your Kudoboard Admin panel and in the left navigation menu, click "SSO".
On the "SSO Settings" page, you will find all of the Service Provider data you need to provide to your Okta Identity Provider.
Single sign-on URL: Use the URL in Kudoboard under SP Assertion Consumer URL
Audience URI (SP Entity ID): Use the URL in Kudoboard under SP Metadata URL
Default RelayState: \\<empty\\>
Name ID format: EmailAddress
Application username: Email
Update application username on: Create and update
Under Attribute Statements, let's map and assign the correct names to values:
Email: user.email
FirstName: user.firstName
LastName: user.lastName
You can also provide some feedback to Okta to indicate this is an internal app.
Once the App wizard finishes creating your custom app, under "General" → "App Settings" click the check box to "Enable SCIM provisioning" and then click "Save" to commit the change.
You should now see a new "Provisioning" tab.
Switch to the "Provisioning" tab and click the "Edit" link. Here are the steps to set up provisioning with Kudoboard via SCIM.
- Copy and paste your "SCIM URL" from Kudoboard into the "SCIM connector base URL" field.
- Enter
emailin the "Unique identifier field for users" - Tick the following checkboxes for "Supported provisioning actions":
Push New UsersPush Profile UpdatesPush Groups
- Change the "Authentication Mode" to
HTTP Headerand in the "Bearer" field, copy and paste your SCIM Token from Kudoboard.
Provisioning to Kudoboard
Once you set up the SCIM connection, you can tell Okta how you want to provision users to Kudoboard.
The Kudoboard SCIM connection allows Okta to:
- Create Users
- Update User Attributes
- Deactivate Users
But does not allow Okta to:
- Sync Password (We require SAML authentication when using SCIM)
Mapping Attributes
Next, we need to tell Okta which attributes to sync with user profiles.
Available attributes
Kudoboard can map the following attributes:
| Kudoboard Field | Okta Field | Type | SCIM Namespace |
| userName | Email (mapped in Sign On Settings) | string | urn:ietf:params:scim:schemas:core:2.0:User |
| userName | Email (mapped in Sign On Settings) | string | urn:ietf:params:scim:schemas:core:2.0:User |
| givenName | user.firstName | string | urn:ietf:params:scim:schemas:core:2.0:User |
| familyName | user.lastName | string | urn:ietf:params:scim:schemas:core:2.0:User |
| user.email | string | urn:ietf:params:scim:schemas:core:2.0:User | |
| displayName | user.displayName | string | urn:ietf:params:scim:schemas:core:2.0:User |
| timezone | user.timezone | string | urn:ietf:params:scim:schemas:core:2.0:User |
| employeeNumber | user.employeeNumber | string | urn:ietf:params:scim:schemas:extension:enterprise: 2.0:User |
| managerValue | user.managerId | integer | urn:ietf:params:scim:schemas:extension:enterprise: 2.0:User |
| managerDisplayName | user.manager | string | urn:ietf:params:scim:schemas:extension:enterprise: 2.0:User |
| isOrgAdmin | custom | boolean | urn:kudoboard:params:schemas:extension:2.0:User |
| birthDate | custom | string (date format - year is irrelevant but required for validation e.g. 1970-03-20) | urn:kudoboard:params:schemas:extension:2.0:User |
| hiredDate | custom | string (date format) | urn:kudoboard:params:schemas:extension:2.0:User |
Setting up the Manager mapping
This depends on your directory integration, i.e. Workday, Entra ID, Active Directory etc. You can provide the SCIM application's internal ID for the manager user or their email. Kudoboard will support both.
Looking for something else? Find our Entra ID SCIM integration guide here.