From c3bdfe4b9142f9155139cc7e7b47047f8827ee27 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 2 Feb 2026 11:46:52 -0800 Subject: [PATCH] Fixes after qa of okta --- tutorials/sync-okta-users-to-smallstep.mdx | 38 ++++++++++------------ 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/tutorials/sync-okta-users-to-smallstep.mdx b/tutorials/sync-okta-users-to-smallstep.mdx index bd45372c..599a03c8 100644 --- a/tutorials/sync-okta-users-to-smallstep.mdx +++ b/tutorials/sync-okta-users-to-smallstep.mdx @@ -1,5 +1,5 @@ --- -updated_at: November 19, 2025 +updated_at: February 02, 2026 title: Sync Okta Users to Smallstep description: Smallstep Okta User SCIM synchronization --- @@ -44,17 +44,18 @@ In this quickstart, we will: 2. Go to Applications → Create App Integration 3. In the pop up select "OIDC - OpenID Connect" as the sign-in method and specify "Native Application" for the Application type. 4. New Native App Integration Page - * App integration name: `smallstep-oidc` - * Sign-in redirect URIs: `https://api.smallstep.com/auth/openid/callback` + * App integration name: `Smallstep OIDC` + * Sign-in redirect URIs: Replace the default value with `https://api.smallstep.com/auth/openid/callback` * Select "Skip group assignment for now" * All other value leave as default * **Save** -5. Go to the **General** tab → Scroll down to "Client Credentials" and choose "Edit" - * Select "Use Client Authentication" radio button +5. Go to the **General** tab, in "Client Credentials", choose "Edit" + * In "Client authentication", select "Client secret" radio button * **Save** 6. Go to the **Assignments** tab. -7. Assign any groups that will need access to Smallstep to the `smallstep-oidc` app -8. Go back to **General** tab and scroll down to "Client Credentials." You'll refer to these values in the next step. +7. Assign any groups or people that will need access to Smallstep to the `Smallstep OIDC` app +8. Go back to **General** tab and **Save** +9. Copy the Client ID and Secret from that page ### Step 2. Enter your OIDC Details into the Smallstep console @@ -66,9 +67,9 @@ In this quickstart, we will: This is your **Configuration Endpoint**. For example, if you normally sign into Okta at `https://example.okta.com/`, then your configuration endpoint is `https://example.okta.com/.well-known/openid-configuration` -4. Select how you'd like to sync users from Okta. +4. Select whether you'd like to sync users from Okta, invite them manually by email. (You'll configure user sync in the next section.) 5. **Save** -6. After saving, you will see a Base URL for SCIM sync, and a SCIM token. Copy these values for the next step. +6. If you chose to sync users, you will see a **Base URL** for SCIM sync, and an **API token** (SCIM token). Copy these values for the next step. ### Step 3. Add the Smallstep App Integration and Configure User Sync in Okta @@ -76,12 +77,11 @@ In this quickstart, we will: * Applications → Browse App Catalog * Search for `Smallstep` * Select the Smallstep app. -2. Click "Add" +2. Click "Add Integration" ![](/graphics/quickstart/okta-app-add.png) 3. Select "Do not display application icon to users" -4. Select "Do not display application icon in the Okta Mobile App" 5. De-select "Automatically log in when user lands on login page" 6. Choose Next @@ -90,7 +90,7 @@ In this quickstart, we will: 7. Select "Administrator sets username, user sets password" 8. Application username format: "Okta username prefix" 9. Update application username on "Create and update" -10. Done +10. Done. We'll assign users for syncing in the next section. ### Configure Provisioning @@ -101,22 +101,20 @@ Next, we'll turn on SCIM provisioning of users from Okta. ![](/graphics/quickstart/okta-enable-api.png "Enable API") -3. Paste your **Base URL** for SCIM sync and **API Token** (SCIM Token) into Okta Provisioning form. +3. Paste your **Base URL** for SCIM sync and **API Token** from the Smallstep console into Okta's Provisioning form. 4. In Okta, choose **Test API Credentials**. After successful verification, choose **Save**. ![](/graphics/quickstart/okta-api-auth.png "API Auth") -5. Reload the provision tab -6. Under Provisioning → Settings → To App, choose **Edit** and enable the following: +5. Under Provisioning → Settings → To App, choose **Edit** and enable the following: * Create Users * Update User Attributes * Deactivate Users -7. Save. -8. Configure Assignments: +6. Save. +7. Configure Assignments: * Select the **Assignments** tab → Click **Assign** → **Assign to Groups** - * Search by group → Assign any groups that will use Smallstep - * Group names that contain a `/` are not supported -9. Configure Push Groups: + * Search by group → Assign any groups that will use Smallstep. Group names that contain a `/` are not supported +8. Configure Push Groups: * Select the **Push Groups** tab → **Push Groups** → **Find Groups By Name** * Search for the same groups that will use Smallstep * Save.