VOOZH about

URL: https://docs.datadoghq.com/account_management/scim/okta/

⇱ Configure SCIM with Okta

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/account_management/scim/okta.md. A documentation index is available at /llms.txt.
SCIM is available with the Infrastructure Pro, Infrastructure Enterprise, and Startup plans.

See the following instructions to synchronize your Datadog users with Okta using SCIM.

For the capabilities and limitations of this feature, see SCIM.

Prerequisites

SCIM in Datadog is an advanced feature available with the Infrastructure Pro, Infrastructure Enterprise, and Startup plans

This documentation assumes your organization manages user identities using an identity provider.

Datadog strongly recommends that you use a service account application key when configuring SCIM to avoid any disruption in access. For further details, see using a service account with SCIM.

When using SAML and SCIM together, Datadog strongly recommends disabling SAML just-in-time (JIT) provisioning to avoid discrepancies in access. Manage user provisioning through SCIM only.

Select the Datadog application in the Okta application gallery

  1. In your Okta portal, go to Applications
  2. Click Browse App Catalog
  3. Type “Datadog” in the search box
  4. Select the Datadog application
  5. Click Add Integration

Note: If you already have Datadog configured with Okta, select your existing Datadog application.

Configure automatic user provisioning

  1. In the application management screen, select Provisioning in the left panel
  2. Click Configure API integration.
  3. Select Enable API integration.
  4. Complete the Credentials section as follows:
    • Base URL: https:///api/v2/scim Note: Use the appropriate subdomain for your site. To find your URL, see Datadog sites.
    • API Token: Use a valid Datadog application key. You can create an application key on your organization settings page. To maintain continuous access to your data, use a service account application key.
  1. Click Test API Credentials, and wait for the message confirming that the credentials are verified.
  2. Click Save. The settings section appears.
  3. Next to Provisioning to App , select Edit to enable the features:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  4. Under Datadog Attribute Mappings, find the mapping of Okta attributes to Datadog attributes already pre-configured. You can re-map them if needed, but map the Okta values to the same set of Datadog values.

Map the Datadog role attribute

To provision a user’s Datadog role (built-in or custom) through SCIM, add an explicit mapping for the roles attribute. Okta does not map this attribute by default.

Datadog’s SCIM role support follows the SCIM multi-valued attribute convention defined in RFC 7643, using the role UUID as value and the role name as display:

{
 "roles": [
 { "value": "<DATADOG_ROLE_UUID>", "display": "<DATADOG_ROLE_NAME>" }
 ]
}
  1. In Directory > Profile Editor, select the Okta user profile, then click Add Attribute to create a roles attribute:
    • Data type: string
    • Display name: Roles
    • Variable name: roles
    • For Enum, select Define enumerated list of values and add one entry per Datadog role, using the role name as the display name and the role UUID as the value. You can find a role’s UUID in the role’s URL on your Organization Settings page. Add any custom roles the same way.
  2. In your Datadog application’s Provisioning > To App settings, map the Okta roles attribute to the Datadog roles attribute.
  3. In the app’s Assignments tab, assign each user the appropriate role from the dropdown.

If a SCIM request sends multiple roles, Datadog provisions only the roles that match a role in your organization. If none match, the user falls back to the org default role (Standard), and unmatched roles are logged to Audit Trail. For more details, see SCIM.

Configure automatic team provisioning

With Managed Teams, you control the core provisioning of a Datadog Team — its name, handle, and membership — through the identity provider. The setup process differs depending on whether the team already exists in Datadog.

Note: Users must exist in Datadog before you can add them to a team. Therefore, you must assign users to the Datadog app in Okta to ensure that they are created in Datadog through SCIM. Assign the Datadog application to your Okta group to ensure that all team members are created in Datadog automatically.

Create a new team in Datadog

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to push to Datadog.
  4. In the Match result & push action column, ensure Create group is selected.
  5. Click Save.

To verify that the operation completed successfully, navigate to the Teams list in Datadog. Search for a Datadog Team matching the Okta group you configured. Verify that the team exists in Datadog and is managed externally. It may take a minute or two before the team appears in Datadog.

Synchronize an existing Datadog Team with an Okta group

You can map an existing Datadog Team to an Okta group. Establishing a link from the Okta group to the Datadog Team causes the Datadog Team to be managed by Okta going forward.

Note: In order to synchronize an existing Datadog Team with an Okta group, the two names must match exactly.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to synchronize with a Datadog Team.
  4. In the Match result & push action column, ensure Create group is selected.
  5. Click Save.

Note: When you select Create group, Okta displays a No match found message. You can ignore this message and proceed with creating the group to establish synchronization.

Delete the connection between an Okta group and a Datadog Team

You have two options for disconnecting an Okta group from a Datadog Team, with different impacts on the Datadog Team membership.

Keep team members in Datadog

This procedure allows you to manage team membership in Datadog instead of Okta. The team members stay unchanged.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to unlink from its Datadog Team.
  4. In the Match result & push action column, select Unlink Pushed Group. A dialog box appears.
  5. Select Leave the group in the target app.
  6. Click Unlink.
  7. Click Save.

Remove team members from Datadog

This procedure allows you to manage team membership in Datadog instead of Okta and removes the team members from the Datadog Team.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to unlink from its Datadog Team.
  4. In the Match result & push action column, select Unlink Pushed Group. A dialog box appears.
  5. Select Delete the group in the target app (recommended).
  6. Click Unlink.
  7. Click Save.

Note: Contrary to the name of the option, selecting Delete the group in the target app does not delete the team in Datadog. Instead, it removes all members from the team and removes the link between the group in Okta and the Datadog Team.

Further Reading

Additional helpful documentation, links, and articles: