Skip to main content
SCIM automatically creates, updates, and deprovisions users in Retrac based on your Okta directory — reducing manual invite management for large teams. SCIM is available on Enterprise plans alongside SAML SSO.
Configure Okta SAML first so provisioned users can sign in. SCIM manages workspace membership; SAML handles authentication.

Prerequisites

  • Okta admin access
  • Retrac workspace owner role
  • Enterprise plan with SCIM enabled
  • SAML SSO configured (recommended)

Set up Okta SCIM

1

Open Retrac SCIM settings

In Retrac, go to Settings → Security and open SCIM configuration. Generate or copy your:
  • SCIM endpoint URL
  • Bearer token (shown once — store in a secrets manager)
2

Enable provisioning in Okta

In the Okta Admin Console, open your Retrac SAML application.Go to the Provisioning tab and click Configure API Integration. Enable provisioning and enter the Retrac SCIM base URL and bearer token.
3

Configure provisioning settings

Under Provisioning → To App, enable:
  • Create Users
  • Update User Attributes
  • Deactivate Users
Map Okta user profile attributes to Retrac SCIM fields:
Okta attributeSCIM field
user.emailuserName / emails
user.firstNamename.givenName
user.lastNamename.familyName
4

Assign users or groups

Assign the Retrac app to Okta users or groups. Okta pushes create, update, and deactivate events to Retrac via SCIM.
5

Verify provisioning

  1. Assign a test user in Okta.
  2. Confirm they appear under Settings → Members in Retrac.
  3. Deactivate the test user in Okta and confirm they lose workspace access.
Use Okta’s Provisioning Logs to troubleshoot failed syncs.
Pair SCIM with location access — provision users into Retrac, then let owners assign location permissions in Settings → Members.

Rotate credentials

If your bearer token may have been exposed, regenerate it in Settings → Security and update Okta with the new token before revoking the old one.

Remove SCIM

Disconnect SCIM from the Security page when decommissioning automated provisioning. Review active members afterward. See Security documentation.