Bluescape User Provisioning Integration using Okta SCIM

Okta’s System for Cross-domain Identity Management (SCIM) provisioning can automatically onboard new users and groups into Bluescape. This topic explains how to set up a SCIM integration with Bluescape.

Supported Features

  • Create users
  • Update user attributes
  • Deactivate users
  • Group push

Okta groups are mapped to corresponding groups in Bluescape. These Bluescape groups are associated with Bluescape teams, where:

  • Members added to the Okta group are automatically added to the associated Bluescape team (if not members already).
  • Users deactivated in Okta (such as when leaving the company) are removed from the associated Bluescape team.
  • Okta user attribute changes (email, first, and last name) are synchronized with Bluescape.


  • You must set up SSO in your Bluescape team(s). This is covered in the Configuration Steps below.

Configuration Steps

This section covers the steps to set up Bluescape SCIM in Okta and Bluescape.

Start your setup in Bluescape

  1. Set up your SCIM integration in Bluescape.
    a. Enable the Use SCIM integration toggle.
    Any Admin can enable the SCIM integration toggle below, but to create the SCIM integration in Step b, the user must be the Owner or a ScimManager of the Team.

    b. Go to the SCIM tab and select Add SCIM integration, then provide a name for your integration.
    This Team acts as the “management” team for the SCIM integration, where you can later identify other associated Teams in Bluescape that can use this integration and associated Okta groups. Information on how to add an associated team can be found in Step 9c.

    c. The next screen provides access to Bluescape’s SCIM URL (used by Okta to provision and synchronize the Bluescape users) and a secret token (to be passed by Okta with each SCIM request to the SCIM URL). Save the SCIM URL and secret token, as they will be copied to Okta in Step 4.
    Note: The secret token can be copied only when generated, for example, when creating the initial integration or when rotating the secret token after a specific period. Bluescape recommends rotating the secret token after one year.

    After pasting the secret token into Okta’s SCIM configuration, it is no longer copyable. It needs to be re-generated in Bluescape and copied again to Okta. Once you finish Step 5, the secret is no longer required and should be permanently deleted from your device for security purposes.
    If you want to delete a SCIM provider/app set up with Bluescape, please contact Bluescape Support or reply to this topic so we can assist.

Continue the setup in Okta

  1. Create a new Bluescape SCIM integration.
    As an Admin in Okta, go to the Applications page and select Bluescape. Name the application Bluescape or something similar.
    After creating the Bluescape app, you will see “General” settings that begin like this:
    Bluescape app in Okta
    The configuration will start with the “Sign On” setting in the next step.

  2. Sign On settings
    This section provides the configuration guide for SAML.
    Supported Features:

    • SP-initiated SSO
    • IdP-initiated SSO
    • JIT (Just-In-Time) Provisioning

    Configuration Steps:
    a. Leave the Default Relay State field blank.
    b. Copy the Metadata URL and provide it to Bluescape Support. This is for setting up SSO on the Bluescape side.
    Okta metadata URL
    c. Ask Bluescape Support to create a SAML provider and give the SAML provider ID. For this example, it’s assumed that support has given the id = sample_2Fpnpo3JnoFzp.
    d. Enter the following in both the ACS URL and Audience URL fields, replacing the part with the domain name used by your Bluescape app and using the Bluescape SAML provider id (for example, sample_2Fpnpo3JnoFzp) at the end.
    e. Set the Application username format to e-mail.
    f. Leave the Update application username on field to unchanged.
    Okta advanced sign-on settings

  3. Provisioning “Integration” settings
    Selecting “Configure API Integration” will lead to the following screen.
    Okta Bluescape provisioning tab
    a. Paste the SCIM URL from Step 1 into the Base URL field and the secret token from Step 1 into the API token field.
    b. Select Test API Credentials. This invokes the SCIM server running at Bluescape and works with Okta’s SCIM client to keep Okta’s users and groups synchronized with Bluescape. If the test fails, check the URL and secret token, then try again.
    c. Select Save.
    Note: When finished with this step, the secret token from Step 1 is no longer required and should be permanently deleted from your device for security purposes.

  4. Provisioning: “To App” settings
    Enable the settings as shown here. Make sure to enable at least “Create Users.” Note that all three are typically enabled. Also, ensure that “Set password when creating new users” is not enabled.
    Okta provisioning settings
    Note that the Bluescape Attribute Mappings section should appear as follows:
    Bluescape attribute mappings

  5. “Assignments” settings
    Use Assing to Groups to associate the Bluescape SCIM app with Okta groups. You can push one or more of these groups to Bluescape in Step 7.
    Note: Only users in groups are automatically provisioned in Bluescape Teams, so there is no need to use “Assing to People.”
    Okta assignments

  6. “Push Groups” to Bluescape
    Bluescape recommends not using “Find groups by rule” because the time it takes to synchronize the groups to Bluescape can vary widely.
    a. Select the Okta groups from Step 6 that you want to synchronize with Bluescape. These groups and their users stay synchronized with Bluescape. Once they are pushed, in Step 8, go back to Bluescape to assign the groups to one or more of the integration’s Bluescape Teams.
    Push groups to Bluescape
    Select Find groups by name to navigate to this screen:
    Push groups by name
    b. After selecting the groups to synchronize with Bluescape, select the dropdown under “Push Status” to activate the group synchronization or remove it from the list. Activation does not push the group to Bluescape; it means the group synchronizes after the initial push below. Select Push now if you wish to push the group immediately.
    Push groups to Bluescape example

Switch back to Bluescape to associate the groups with one or more Bluescape Teams

  1. Associate group(s) with you team
    a. Select “Manage” to add selected groups to your Bluescape Team. The Team can be either a Management or an Associated team, as explained in Step 1b.

    After a group is associated with the Team, the group’s users are automatically added to the Team, as shown above.
    b. You can switch back to Okta to add/remove users in Okta groups, change user profile information, and observe the changes in Bluescape.
    c. To add additional teams to the SCIM configuration in Bluescape, please reach out to Bluescape Support with the Teams you would like to add and the following two URLs:
    • Idp metadata URL from Step 2
    • SCIM URL generated from Step 1c


During synchronization, when errors occur in Bluescape, the bssrid (Bluescape SCIM Request ID) is returned to Okta and appears in the Okta logs. For security reasons, we do not return sensitive logging information in the response to Okta. You can send the bssrid to Bluescape Support so we can obtain diagnostic information from the Bluescape logs.

Note: Bluescape supports updating only three Okta attributes: userName, givenName, and familyName. Other attributes are not saved to Bluescape.

If you have questions or difficulties with your Okta to Bluescape SCIM integration, select Reply below this topic and outline the issue to engage Bluescape Support. Please include the bssrid.