--- title: SSO and SCIM description: How to set up SSO and provision SCIM with Microsoft Entra ID and Okta. url: https://storyblok.com/docs/manuals/sso-and-scim --- # SSO and SCIM Single sign-on (SSO) is an authentication scheme that allows users to log in to Storyblok using their existing accounts from trusted third-party services. SSO ensures secure, seamless access with a single ID managed by a specialized identity provider (IdP), which eliminates the need to create additional, per-app accounts. > [!NOTE] > SSO is a Premium and Elite feature. Learn more on the [pricing page](https://www.storyblok.com/pricing). ## SSO providers Storyblok supports the following IdPs and SAML standards: **Identity providers** - Auth0 - Google Workspace - JumpCloud - Microsoft Entra ID - Okta - OneLogin - Salesforce **SAML standards** - SAML 2.0 - SAML 1.0 ## What is SCIM In addition to SSO, Storyblok organization and space admins can use the system for cross-domain identity management (SCIM) standard to reduce manual processes and keep access in sync. An open standard for user provisioning, SCIM automatically creates and updates users from an IdP, and manages Storyblok space assignments through groups. Storyblok acts as the server that receives the requests and supports SCIM provisioning via two IdPs: Microsoft Entra and ID Okta. These services act as the clients that send requests. ## Set up SSO with Microsoft Entra ID To configure SSO with Microsoft Entra ID, first [contact Storyblok’s support](https://support.storyblok.com/hc/en-us) team and provide your tenant ID and the domains you use for SSO login. Follow Microsoft's guide [to find your Entra tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant). 1. **Create an enterprise application** Follow Microsoft's guide to [add an enterprise application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal) for Storyblok. 2. **Configure the** **callback URLs** In Storyblok, open your organization's **Settings → SSO & Provisioning**, and copy the **SSO Identifier**. For more information, check the [Organizations manual security section](https://www.storyblok.com/docs/manuals/organizations#security). Back in Microsoft's dashboard, paste the following values in the relevant fields—replace `YOUR-SSO-IDENTIFIER` with your actual **SSO Identifier**: | Field name | Values | | --- | --- | | Identifier (Entity ID) | `https://mapi.storyblok.com/saml/metadata?connection=YOUR-SSO-IDENTIFIER` | | Reply URL (Assertion Consumer Service URL) | `https://mapi.storyblok.com/saml/consume?connection=YOUR-SSO-IDENTIFIER` | > [!NOTE] > If you operate in China, replace `https://mapi.storyblok.com` with `https://app.storyblokchina.cn` in the SAML URLs. 3. **Verify the SSO setup in Storyblok** Once you're done, open Storyblok and confirm that the **Sign in via SSO** button appears for users who access one of the configured domains. ## Provision SCIM on Microsoft Entra ID To enable [SCIM provisioning](https://learn.microsoft.com/en-us/entra/id-governance/what-is-provisioning) for your organization, contact [Storyblok’s support team](https://support.storyblok.com/hc/en-us). 1. **Configure automatic user provisioning** Follow Microsoft’s guide to [configure automatic user provisioning](https://learn.microsoft.com/en-us/entra/identity/saas-apps/connecter-provisioning-tutorial#to-configure-automatic-user-provisioning-for-connecter-in-microsoft-entra-id). Find the **Tenant URL** and **Secret Token** in your Storyblok organization: open **Settings** → **SSO & Provisioning**, copy the **SCIM Base URL**, and paste it into the **Tenant URL** field in Microsoft Entra ID. Then, generate the **SCIM token** and paste it into the **Secret Token** field. > [!NOTE] > Each organization can have only one active SCIM token at a time. 2. **Manage users and groups in Microsoft Entra ID** To assign and unassign users of an enterprise application in Microsoft Entra ID, follow Microsoft’s guide on [assigning users and groups to an application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=portal). To assign users to a group, follow Microsoft’s guide on how to [Manage Microsoft Entra groups and group membership](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups). 3. **Map Storyblok space roles to Microsoft Entra ID groups** To integrate Storyblok space roles with Microsoft Entra ID groups, open **Settings → Roles** and select the desired role. Then, enable **This role is for integration with SSO**, and paste the group’s **External ID** into the **External ID (Used for SSO)** field. Find the **External ID** of the Microsoft Entra ID groups you configured for your organization: open **Settings → SSO & Provisioning → SCIM Groups** section. > [!NOTE] > Storyblok does not provision organization owners and admins through SCIM. 4. **Start the provision** In Microsoft Entra ID, open **Enterprise Applications → Your\_Enterprise\_Application → Provisioning** and select **Start provisioning**. Microsoft Entra ID starts an initial provisioning cycle and then continues with automatic incremental synchronization. For details, visit Microsoft’s guide on [checking the status of user provisioning](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user?utm_source=chatgpt.com). > [!TIP] > For immediate testing, use [Provision on demand](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning). 5. **Verify the SCIM provisioning setup in Storyblok** Finally, to verify the SCIM provisioning in Storyblok, check that the assigned users who accepted the invite to the Storyblok space appear with an euid in this format: `user-scim-externalid|scim|{org_id}|@yourdomain.com` ### Revoke user access To verify that Microsoft Entra ID correctly revokes user access in Storyblok, follow the steps below: 1. Disable a user or remove them from the enterprise application in Microsoft Entra ID. 2. Start provisioning. 3. Wait for the synchronization cycle to complete. 4. Confirm that Storyblok disables the user in the organization. ## Set up SSO with Okta To configure SSO with Okta, first [contact Storyblok’s support](https://support.storyblok.com/hc/en-us) team and provide your IdP metadata (an XML file) and the domains you use for SSO login. 1. **Create the Storyblok application in Okta** Follow Okta's guide to [create SAML app Integrations](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm). 2. **Configure the callback URLs** In Storyblok, open your organization's **Settings → SSO & Provisioning**, and copy the **SSO Identifier**. For more information, check the [Organizations manual security section](https://www.storyblok.com/docs/manuals/organizations#security). Back in Okta, paste the following values in the relevant fields—replace `YOUR-SSO-IDENTIFIER` with your actual **SSO Identifier**: | Field name | Values | | --- | --- | | Audience URI (SP Entity ID) | `https://mapi.storyblok.com/saml/metadata?connection=YOUR-SSO-IDENTIFIER` | | Single sign-on URL | `https://mapi.storyblok.com/saml/consume?connection=YOUR-SSO-IDENTIFIER` | > [!NOTE] > If you operate in China, replace `https://mapi.storyblok.com` with `https://app.storyblokchina.cn` in the SAML URLs. 3. **Verify the SSO setup in Storyblok** Once you're done, open Storyblok and confirm that the **Sign in via SSO** button appears for users who access one of the configured domains. ## Provision SCIM on Okta To enable [SCIM provisioning](https://help.okta.com/en-us/content/topics/provisioning/lcm/con-okta-prov.htm) for your organization, contact [Storyblok's support team](https://support.storyblok.com/hc/en-us). 1. **Configure automatic user provisioning** Follow Okta’s guide to [add SCIM provisioning](https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm). Find the **Tenant URL** and **Secret Token** in your Storyblok organization: open **Settings** → **SSO & Provisioning**, copy the **SCIM Base URL**, and paste it into the **SCIM connector base URL** field in Okta. Then, select **HTTP Header** as the authentication mode, and paste the **SCIM token** from Storyblok in the **Authorization** field. Storyblok supports all provisioning actions. > [!NOTE] > Each organization can have only one active SCIM token at a time. 2. **Manage users and groups in Okta** First, follow Okta's guide on [creating a user](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-add-users.htm). Next, [assign the user](https://support.okta.com/help/s/article/How-To-Assign-An-User-To-An-Application?language=en_US) to the Storyblok app. Then, follow the steps to [create a group](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-groups-create.htm?utm_source=chatgpt.com), and finally, [assign them to a group](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-group-people.htm). 3. **Map Storyblok space roles to Okta groups** To integrate Storyblok space roles with Okta groups, open **Settings → Roles** and select the desired role. Then, enable **This role is for integration with SSO**, and paste the group's **External ID** into the **External ID (Used for SSO)** field. Find the **External ID** of the Okta groups you configured for your organization: open **Settings → SSO & Provisioning → SCIM Groups** section. > [!NOTE] > Storyblok does not provision organization owners and admins through SCIM. 4. **Verify the SCIM provisioning setup in Storyblok** Finally, to verify the SCIM provisioning in Storyblok, check that the assigned users who accepted the invite to the Storyblok space appear with an euid in this format: `user-scim-externalid|scim|{org_id}|@yourdomain.com` ### Revoke user access To verify that Okta correctly revokes user access in Storyblok, [unassign the user](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-unassign-apps.htm) from the Storyblok app in Okta. Storyblok automatically disables the user in your organization.