SAML SSO Okta: User Provisioning
With SCIM protocol, admins can set up automatic user provisioning and deprovisioning for Wrike with Okta.
Set up Wrike with the System for Cross Identity Management (SCIM) standard to automatically provision or deprovision users based on their status in Okta.
-
Automatic provisioning: Okta users are automatically provisioned for Wrike.
-
Synced user attributes: User attributes are automatically updated in Wrike when they're updated in Okta.
Note
To successfully update user attributes of account admins, the account admin who issued the API token must have the right to grant/revoke admin rights enabled.
-
Automatic deactivation: Wrike users are automatically deactivated in Wrike when they're deactivated in Okta.
This page is about integrating Wrike with Okta SCIM. We have a separate page on setting up SAML SSO to Wrike through Okta.
Note
Members added through SCIM are billable as soon as they're provisioned.
You must have permission to Configure advanced security settings in Wrike and be an Okta admin to set up Wrike with Okta SCIM. We recommend setting up SAML SSO with Okta first.
Only users from approved domains will be automatically provisioned to Wrike.
-
Open your Wrike workspace.
-
Click your profile picture in the view’s upper right-hand corner.
-
Select Apps & Integrations.
-
Find Okta in the list of apps (make sure to select Identity management and single sign-on via Okta, not Okta via Wrike Integrate), click the app, and switch to the SCIM tab.
-
Scroll to the bottom and copy the SCIM URL. You’ll be using it in a few steps.
-
Close the Okta pop-up (but stay in Wrike) and move on to Step 3.
-
Click API from the left-hand side of the Apps & Integrations page.
-
Enter a name in the App name field (we suggest Okta SCIM).
-
Click Create new.
-
(Optional) Add an app description.
-
Scroll to the bottom of the page and click Create Token.
-
Enter your password and click Obtain token.
-
Copy the token and save it somewhere. You’ll need to enter this information in Okta.
Important
You’re only shown your token once, so make sure you save it prior to moving on to the next steps.
-
Click Save.
-
Sign in to your Okta domain at <yourorganization>.okta.com.
-
Click Admin.
-
Click Applications.
-
Find and select Wrike.
-
Switch to the Provisioning tab.
-
Select Integration in the left panel.
-
Click the Edit to the right of the Integration label.
-
Check the box next to Enable API integration.
-
Add information:
-
In the Base URL field, add the URL from Step 2.
-
In the API Token field, add the token from Step 3.
-
-
Click Test API Credentials to verify that access is working correctly.
-
Click Save.
-
Select To app in the left panel.
-
Click Edit to the right of the Provisioning to app label.
-
Enable all or some synchronizations: Create Users, Update User Attributes, and Deactivate Users.
-
Click Save.
-
Switch to the Assignments tab.
-
Enable Wrike for select people or groups, or for all users.
The following attributes are synced from Okta to Wrike:
-
Username
-
Given name
-
Family name
-
Primary email
Note
The primary email in Wrike is not changed when this attribute is synced from Okta.
-
Title
-
Primary phone
-
Organization
-
Department
-
Wrike user type
Note
Specifying the Wrike user type (Regular, External, and Collaborator) is a custom attribute. By default, Regular users are created.
If certain user attributes (e.g., phone number, department, or secondary emails) are filled in Wrike but missing in Okta, the information stays in Wrike even after user provisioning.
If a user doesn't get provisioned or deprovisioned:
-
Check the System Log in the Okta administration portal to see if a SCIM provisioning attempt is listed there.
-
If there is no provisioning attempt listed, make sure that users are properly assigned to Wrike’s application in Okta.
-
If an error is listed, please contact our Support Team and provide error details.
-