Okta Provisioning

Beta

Okta provisioning is in beta. The SCIM 2.0 endpoint accepts the same payloads Okta sends to any compliant target, but the integration hasn't been certified through the Okta Integration Network or hardened against every Okta tenant configuration we'd want to support at GA. Roll it out to a pilot group first, and let support know if you hit anything unexpected — that feedback is what moves the integration to general availability.

Once Okta Universal Directory is connected to TheStorage, your directory drives the user list. New hires appear in TheStorage minutes after you assign them to the app, profile changes flow through on the next push, and users who are unassigned or deactivated in Okta are deactivated in TheStorage without anyone clicking a button.

The integration runs over SCIM 2.0 through Okta's generic SCIM 2.0 application template, so no Okta Integration Network (OIN) listing is required.

Requirements

• An Okta administrator role with the right to add applications and configure provisioning — typically Super Administrator or Application Administrator.
• A TheStorage user with the Administrator role (needed to enable SCIM and copy the bearer token).
• An Okta edition that includes Lifecycle Management — the Provisioning tab is only available on plans that bundle Okta Lifecycle Management.

Step 1: Enable SCIM in TheStorage

1. Sign in to TheStorage and open Settings > User Provisioning.

2. Toggle SCIM provisioning on. A dialog appears with a one-time bearer token.

3. Click Copy and stash the token somewhere safe — a password manager, or paste it straight into Step 10 below. TheStorage only keeps a hash, so once the dialog closes the raw value is gone for good. The only way to recover it is to regenerate, which invalidates the previous one.

4. Copy the Tenant endpoint URL shown below the token. It looks like:

   https://service.thestorage.app/api/<your-tenant>/scim/v2

   Keep both values to hand for Step 10.

Step 2: Create the Application in Okta

5. Sign in to the Okta Admin Console with an administrator account.

6. Navigate to Applications > Applications, then click Browse App Catalog.

7. Search for SCIM 2.0 Test App (Header Auth) and open it. Don't be put off by the word "Test" — this is Okta's official generic SCIM 2.0 template, and it's intended for production use against any SCIM endpoint that authenticates with a static bearer token.

8. Click Add Integration. On the General Settings page, set:

   Field	Value
   Application label	TheStorage SCIM Provisioning
   Application visibility	Both checkboxes unchecked (TheStorage has no Okta-based SSO chiclet)

   Click Next, skip the Sign-On Options page with the defaults, and click Done.

Step 3: Configure the SCIM Connection

9. On the new application's overview page, open the Provisioning tab and click Configure API Integration.

10. Tick Enable API integration, then fill in:

    Field	Value
    Base URL	The endpoint URL from Step 4
    API Token	The bearer token from Step 3

11. Click Test API Credentials. Okta fires a GET /Users?count=1 at the endpoint and expects a 200 OK; a green The API credentials were verified successfully banner confirms the connection. If the test fails, the usual suspects are a trailing slash on the endpoint URL, the wrong tenant slug, or a stale token — re-paste a fresh copy and try again.

12. Click Save.

Step 4: Enable Provisioning Actions

13. Still on the Provisioning tab, select To App in the left rail, then click Edit next to Provisioning to App.

14. Tick the following options and click Save:

    Option	Value
    Create Users	enabled
    Update User Attributes	enabled
    Deactivate Users	enabled

    Leave "Sync Password" off

    TheStorage doesn't store user passwords — authentication runs through your identity provider, not TheStorage. Enabling Sync Password will fail every push with a 400 on the unsupported attribute, so make sure that one is unticked before you save.

Step 5: Review Attribute Mappings

15. Scroll down to the Attribute Mappings section. Okta pre-fills sensible defaults for the standard SCIM attributes. Confirm at least the following map onto TheStorage's expected fields:

    Okta attribute	SCIM attribute
    user.email	userName
    user.email	emails[type eq "work"].value
    user.firstName	name.givenName
    user.lastName	name.familyName
    user.displayName	displayName
    user.title	title
    user.department	department

    TheStorage doesn't currently provision groups. The SCIM 2.0 Test App template doesn't push groups by default, so there's nothing extra to do here — just leave the To App > Groups section disabled.

Step 6: Assign Users

16. Open the Assignments tab and click Assign > Assign to People — or Assign to Groups to push everyone in an Okta group at once. Pick the users or groups that should be synchronised to TheStorage.

    Only assigned principals are provisioned, so start with a small pilot group and widen the scope once the first push succeeds.

17. After assignment, Okta runs the first push within a minute. Open Reports > Okta System Log and filter on Application assignment and Application user provisioning to track progress; each user should reach the status Successfully provisioned.

18. Open TheStorage's Users page and confirm the assigned users now appear with the Okta badge on each row.

From here on, Okta is fully event-driven: profile changes in Universal Directory and assignment changes are pushed within seconds, with no scheduled full-sync cycle to wait for.

Known limitations

These are the gaps we're aware of in the beta. All three are on the roadmap before general availability.

• No group provisioning. Group memberships aren't pushed from Okta. Assign individual users with Assign to People, or assign an Okta group to push its members — the members arrive in TheStorage, but the group object itself does not.
• No profile photos. Okta's SCIM 2.0 template doesn't expose a profile photo attribute, and there's no Okta equivalent of the Microsoft Graph pull integration we use for Entra. Users can still upload an avatar inside TheStorage, and that image is preserved across syncs.
• The Okta badge doesn't imply SSO. Users provisioned through this integration get an Okta badge on their TheStorage profile to mark where the account originated, but sign-in still runs through TheStorage's standard identity flow — not Okta SAML or OIDC.