Who can use this feature?
- Requires an Enterprise plan.
- Requires an Admin role to configure.
This article provides guidance for configuring System for Cross-domain Identity Management (SCIM) for your Fullstory account. Currently, SCIM is only supported for Okta as an Identity Provider. SCIM, when used in conjunction with Single Sign-On (SSO), allows you to automate the provisioning and deprovisioning of user accounts in Fullstory directly from your Identity Provider (IdP). This streamlines user management and enhances security.
Create a new SAML app in Okta
- In the Admin Console, go to Applications.
- Click Create App Integration.
- Select SAML 2.0 as the Sign-in method.
- Click Next.
- Provide the general information for the integration and then click Next.
- Provide the necessary SAML settings information for your integration. See Application Integration Wizard SAML field reference for descriptions of individual fields.
- Optional. Click Preview the SAML Assertion to view the XML generated from the SAML settings that you provided.
- Click Next.
-
Provide configuration information about your app integration
to Okta:
-
If you're adding an integration for internal use only,
follow
these steps:
- Select I'm an Okta customer adding an internal app.
- Select This is an internal app that we have created. However, if your app requires more SAML configuration instructions to work with Okta, select It's required to contact the vendor to enable SAML. Fill in the provided fields to help the Okta support team understand your SAML configuration.
- Click Finish.
- Your integration is created in your Okta org. You can modify your integration's parameters and assign it to users.
-
If you're adding an integration for internal use only,
follow
these steps:
- After you create your SAML app integration, you can follow the SSO setup described in the How do I configure SSO? article.
Enabling SCIM in Fullstory
Admin users can configure SCIM in Fullstory.
- Within Fullstory, go to Settings > Account Management > SSO.
-
Under Account Provisioning, select SCIM Provisioning from the dropdown menu.
Note: If you don't see Account Provisioning, ensure that SAML SSO is already configured for your Fullstory organization. See How do I configure SSO? for more information. - Fullstory will display information that you will need to enter into your IdP later, including the following:
- SCIM connector base URL
- Unique identifier for users
- Authentication mode
- Authorization token
- Click Generate Authorization Token. Keep this information secure as it will be used to authorize the connection from your IdP.
Setting up the SCIM connection in Okta
The following steps provide an example of how to configure SCIM with Okta. The specific steps may vary depending on your IdP.
- From your Okta Admin console, navigate to Applications > Applications.
- Select the Okta Application that you have configured for Fullstory SSO.
- For the selected Okta Application, click on the General tab and then click Edit.
- Under Provisioning, select SCIM and click Save. This will add a Provisioning tab to your Fullstory Okta application.
- Click on the new Provisioning tab.
- Under Integration, click Edit.
- Using the information obtained from Fullstory in the previous section, fill out the following details:
- SCIM connector base URL
- Unique identifier field for users
- Supported provisioning actions
- Authentication Mode
- Authorization token
- Click Test Connector Configuration.
- If the test is successful, click Save.
Mapping User Roles via SCIM Attributes (Recommended)
To automatically assign Fullstory roles to users based on their group memberships in Okta, follow these steps:
- In Okta, navigate to Directory > Profile Editor.
- Select your Fullstory Okta Application and click + Add Attribute.
- Fill out the attribute details with the following information:
| Attribute Information | Value |
| Data Type | String |
| Display Name | Fullstory Role |
| Variable Name | fullstoryRole |
| External Namespace | urn:ietf:params:scim:schemas:core:2.0:User |
| Define enumerated list of values | Checked |
- Add the following Attribute Members with their corresponding Value:
| Display Name | Value |
| Admin | admin |
| Architect | architect |
| Standard | standard |
| Explorer | explorer |
| Guest | guest |
- Ensure Attribute Type is set to Group.
- Click Save.
- In Okta, navigate back to your Fullstory Okta application and click on the Assignments tab.
- Add the groups you want to map to Fullstory roles.
- Click the pencil icon to open the Edit Group Assignment screen, you should now see the Fullstory Role attribute.
- Select the desired Fullstory role from the dropdown that you want to assign to members of this Okta group.
- Click Save and repeat this for all relevant Okta groups.
Enabling SCIM Functionality in the Fullstory Okta App
- From the Okta Application, navigate to Provisioning > To App and click Edit.
- Select the provisioning features you want Okta to manage. It is recommended to enable Create Users, Update User Attributes, and Deactivate Users.
- Click Save.
Converting Existing Users to SCIM Users (If Applicable)
If you already have users assigned to the Fullstory Okta application before configuring SCIM, you may need to manually provision them via SCIM:
- In the Okta Application, navigate to the Assignments tab.
- Click Import Now to reconcile any differences between the users currently in FSTA and those assigned in Okta
By following these steps, you can successfully configure SCIM for your Fullstory organization, enabling automated user provisioning and deprovisioning through your Identity Provider. This will streamline your user management processes and enhance the security of your Fullstory account. Remember to consult the documentation for your specific Identity Provider for any variations in the configuration steps.