This guide describes Chartbeat’s integration with the SCIM standard and the requirements for enabling provisioning through an Identity Provider that supports the protocol.
Supported Features
Chartbeat currently supports the following provisioning features:
- Push New Users: New users created through your IDP will also be created in Chartbeat.
- Push User Deactivation: Deactivating the user through your IDP will deactivate the user’s Chartbeat account.
- Push Profile Updates: Updates made to the user’s profile through your IDP will be pushed to Chartbeat.
- Import New Users: New users created in Chartbeat can be downloaded and turn in to new AppUser objects, for matching against existing users in your IDP.
- Reactivate Users: Reactivating a user through your IDP will reactivate the user’s Chartbeat account.
Prerequisite
- Verify your Identity Provider supports SCIM (Basic Authentication method)
- Choose a user account for making SCIM requests
- Should be the organization Owner for your team's Chartbeat
- Must have a known password
- Know the relevant information for configuring SCIM
- SCIM connector base URL: https://chartbeat.com/scim/v2/
- Unique identifier field for users: email
Set up SCIM
Use the appropriate documentation from your IDP to complete the SCIM integration.
Notes
SCIM to Chartbeat authorization is done through Basic Auth, so the designated SCIM user needs a password in the Chartbeat system. It is best to setup SCIM before making SSO required on the account. If necessary to set this password while SSO is required for you organization, please contact support@chartbeat.com to request a password reset link for the account.
NOTE: The Chartbeat user designated as your organization Owner has special privileges in Chartbeat. In the case of Single Sign-On, this account serves as a fallback/recovery account. This means that this user can always reset and log in with a password, even if they typically sign in through SSO, primarily for use in the case that you need to recover your company's Chartbeat account in the event that your identity service has a critical error and becomes unreachable.
Until such time as OAuth is available for SCIM, use this account’s credentials to authenticate with our SCIM API. This ensures you can reset the password if you forget it.
OKTA Configuration
1. Log in to your OKTA account. If you don’t already have one, you will need to create one.
2. On the OKTA dashboard, click Admin. This takes you to the OKTA Admin Dashboard.
3. Click on the Applications tab on the top navigation.
4. Select your Chartbeat application
5. Go to the General setup tab and select the Edit button for App Settings.
6. Within App Settings, you will see a Provisioning option. Change Provisioning to SCIM and select Save. This will add a new Provisioning tab to your application.
7. Navigate to the Provisioning tab and select Edit to set up the SCIM connection.
8. Enter the following values into the appropriate fields:
- SCIM connector base URL: https://chartbeat.com/scim/v2/
- Unique identifier field for users: email
9. Select the provisioning actions you would like to enable.
10. Set up Authentication by entering the email and password of the Owner of your Chartbeat account.
NOTE: The Chartbeat user designated as your organization Owner has special privileges in Chartbeat. In the case of Single Sign-On, this account serves as a fallback/recovery account. This means that this user can always reset and log in with a password, even if they typically sign in through SSO, primarily for use in the case that you need to recover your company's Chartbeat account in the event that your identity service has a critical error and becomes unreachable.
Until such time as OAuth is available for SCIM, use this account’s credentials to authenticate with our SCIM API. This ensures you can reset the password if you forget it.
11. Once you’ve tested your authentication, select Save. This will redirect you to Provision to App.
12. Edit the Provision to App by choosing which options you would like to enable. Select Save.
And that’s it. You’re now all set to have OKTA automatically provision users in Chartbeat.