Skip to main content

Configure SCIM Provisioning with Okta

Set up the Intercom app in Okta to automatically provision, update, and deprovision teammates from your Okta account.

Colin Bentley avatar
Written by Colin Bentley
Updated over a month ago

This article provides the steps required to configure SCIM Provisioning using the Intercom app in Okta. This allows you to provision new teammates and manage their accounts, groups, and permissions using Okta as your single source of truth.

Supported Features

The Intercom app in Okta supports the following provisioning features:

  • Import teammates: Teammates already present in Okta will be created in Intercom.

  • Sync password: Teammate passwords can be synced from Okta to Intercom (this is an optional setting).

  • Push new teammates: New teammates created through Okta will also be created in Intercom.

  • Push profile updates: Updates made to a teammate's profile through Okta will be pushed to Intercom.

  • Teammate deactivation: Deactivating a teammate or disabling their access to the application through Okta will delete the teammate from Intercom.

  • Reactivate teammates: Teammate accounts can be reactivated in the application.

  • Push groups: Push groups from Okta into Intercom and map them to Intercom roles.

Before you start

Important deactivation warning: Teammates in Intercom can be in one of two states: "active" or "deleted". Intercom does not have a soft-deleted, deactivated, or archived state for teammates. If a teammate is not active in your identity provider, their account will be permanently deleted from your Intercom workspace.

Note:

  • SCIM Provisioning is only available with certain Intercom plans. See our plans and pricing for more details.

  • Intercom considers email addresses to be case-insensitive (e.g., "Teammate@example.com" is the same as "teammate@example.com").

  • If a "displayName" parameter is sent in the request, it will be used instead of the "name" parameter.

Requirements

In Okta, please ensure your password policy requires at least 10 characters. To change this, please visit the Authentication section within Okta Security settings.

In Intercom, Before you configure SCIM provisioning, you must first configure SAML SSO.

Then, you must follow the setup steps below. The following items will be provided by Intercom in your security settings:

  • SCIM 2.0 Base URL

  • API Token

Step 1: Get your SCIM credentials from Intercom

Before you can configure Okta, you must enable SCIM in Intercom to get your credentials.

  1. Go to Settings > Workspace > Security > Authentication methods.

  2. Enable SAML SSO.

  3. Select Provisioning then enable SCIM provisioning in the dropdown.

  4. Under "Exclude from deprovisioning and role provisioning", click Add teammates and exclude your own account to prevent being locked out.

  5. Click Save.

  6. Copy the Base URL and API Token. You will need these for the next step.

Learn more about the configuration steps here.

Step 2: Configure the Intercom app in Okta

  1. In your Okta dashboard, navigate to Applications and select Browse App Catalog.

  2. Search for "Intercom" and add the app.

  3. Go to the Provisioning tab for the Intercom app and click Configure API Integration.

  4. Check the Enable API integration box.

  5. Paste the Base URL and API Token you copied from Intercom.

  6. Click Test API Credentials. You should see a success message.

  7. Click Save.

  8. A success message should appear: "Intercom was verified successfully!"

  9. Select To App in the left panel then click Edit.

  10. Enable Create users.

  11. Enable Update User Attributes.

  12. Enable Deactivate Users.

  13. Enable Sync Password (optional).

  14. Click Save.

Note: You must select "Email" for the Application username format on the Sign On application tab in Okta. This is because the SCIM userName attribute for this app must follow an email address format.

Step 3: Set up groups push (Recommended)

If you're using SCIM groups to manage teammate roles:

  1. In Okta, open the Push Groups tab on the Intercom app.

  2. Select the Okta groups you want to sync to Intercom (e.g., "Intercom Admins").

  3. In Intercom, you must now map those synced groups to Intercom roles. Go to Settings > Workspace > Teammates > SCIM Provisioning.

  4. For detailed steps on mapping, see our full guide on Assigning teammate roles automatically with SCIM groups.

Step 4: Assign teammates to the app

Once provisioning is fully configured, go to the Assignments tab in Okta to assign teammates to the Intercom app. This will begin the provisioning process for those teammates.

The Assignments tab will only provision teammates; it will not push the groups themselves. Groups must be pushed from the Push Groups tab.

Learn more about how SCIM provisioning works.

Troubleshooting

If you encounter any issues during setup, please start a conversation with us in the Messenger or email the team at team@intercom.com.

💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts

Related Articles
Integrate with an identity provider and log in with SAML SSO
System for Cross-domain Identity Management (SCIM) Provisioning
Automatically forward emails to the Inbox
Event types in Teammate Activity Logs
Assign teammate roles automatically with SCIM groups
Did this answer your question?