Prerequisites

• A UserVoice plan that includes SAML Single Sign-On & SCIM
• UserVoice Admin with Owner Level Permission
• Okta access to provision apps
• SAML SSO configured with UserVoice and Okta as a SAML or custom App -- do not use the UserVoice App as it is not compatible with SCIM yet.

Note: You must use SAML and add SCIM provisioning. You can't configure SCIM by independently.

Enable in UserVoice

Note: Admins with owner-level permissions are the only admins able to enable and obtain the token.

To enable SCIM and fetch the required token:

1. Navigate to the Admin Console → Click the settings cog in the lower-left nav → General Settings → User Authentication → Scroll down and toggle SCIM Provisioning on.
2. Once enabled, click "Create Token" to obtain the API Token for configuring in your IdP. Copy or put this somewhere safe for use later.

Now you can start configuring SCIM in Okta.

Okta Configuration

Step 1: Enable SCIM Provisioning

1. Sign into your Okta identity platform and using the left-side navigation, navigate to Applications → Applications.
2. Find and click your UserVoice SAML Application.
3. On the General tab → App Settings, click Edit and under Provisioning, enable SCIM.

Step 2: Configure Provisioning

Set the following values:

1. SCIM connector base URL → https://{your uservoice url}/api/scim_v2
2. Unique identifier field for users → userName
3. Supported provisioning actions:
   1. ✅ Import New Users and Profile Updates
   2. ✅ Push New Users
   3. ✅ Push Profile Updates
4. Authentication Mode → HTTP Header
5. Authorization → Bearer {the token you copied from UserVoice}
6. Click Test Connector Configuration. If successful, you will see the following message: Connector configured successfully.
7. Click Save and then click To App (on the left) → Edit (on the right) → and enable:
   1. Create Users (The default username used to create accounts should be Email)
   2. Update User Attributes
   3. Deactivate Users
   4. Push Groups (if utilizing teams)
8. Click Save.

Step 3: Attribute Mappings

License Type

From the page you were on, scroll down and click Go to Profile Editor. Here you will need to add licenseType. Click Add Attribute and enter the following values:

Note: If you do not configure licenseType users will be provisioned as end-users by default. It is not required.

1. Data type → string
2. Display name → licenseType
3. Variable name → licenseType
4. External name → this will automatically populate with licenseType
5. External namespace → urn:ietf:params:scim:schemas:extension:uservoice:permission:2.0
6. Description → Optional description, e.g. For provisioning UserVoice users
7. Enum Display Name followed by Value. See the table here for what each value means:
   1. Full Access Owner → fullaccess_owner
   2. Admin → admin
   3. Admin No Settings → admin_no_settings
   4. Read Only Admin → readonly_admin
   5. Admin Ideas Only → admin_ideas_only
   6. Admin Feedback Only → admin_feedback_only
   7. Contributor → contributor
   8. Revoke Access → none
8. Attribute type → Personal

Teams (Optional)

SCIM supports automatic team assignment during user provisioning, allowing you to sync Team assignments with your Idp groups. Groups from Okta are pushed to UserVoice as Teams. 

1. Create Groups in Okta and assign Admins and Contributors to the Group
2. Under your application -> Push Groups tab, choose the group you want to push
3. This will create a Team in UserVoice with the group members and the Team name will match the Group name

That completes the configuration. You can now assign users the way you typically do or by following Okta's Assign applications to users guide.

Logs