> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SCIM: Provision Opal Users

<Info>
  For most use cases, you probably don't need to use Okta SCIM provisioning. Opal will automatically sync new users and profile updates from Okta.

  SCIM provisioning is useful if you cannot wait for the [hourly or a manual sync](/docs/sync-schedules-and-triggers) to retrieve new users.
</Info>

This guide provides the steps required to configure User Provisioning from Okta to Opal.

The following provisioning features are supported:

* **Push new users**. New users created through Okta will also be created in Opal.

## Configuration steps in Opal

You must first connect [Okta as an IDP](/integrations/okta-idphris-integration) to use Okta SCIM provisioning.

Next, generate an Opal API token with admin level privileges.

As an admin, go to **Configuration > Settings > API Access Tokens**. Select the **+API Access Tokens** button. Generate a token with the **Full-access** role:

<img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/299cdd531135964ff1fe4cc9bd7216201975a9913cbaf29c7550274c9eb07f5a-api-token-full-access.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=665fa4f08334b1c7562072c909b85af6" alt="" width="2683" height="1268" data-path="images/docs/299cdd531135964ff1fe4cc9bd7216201975a9913cbaf29c7550274c9eb07f5a-api-token-full-access.png" />

Save the generated token.

## Configuration steps in Okta

1. In Okta, go to **Applications** and select the Opal application. Under **General**, ensure **Enable SCIM provisioning** is selected.

<img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/3c6f6e79f8b61213bd0a14d9b59409c95e42eb082bb9289637b277c623369c25-enable-scim.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=28351b6b461836fed8ea037b14aa0ef7" alt="" width="2192" height="1022" data-path="images/docs/3c6f6e79f8b61213bd0a14d9b59409c95e42eb082bb9289637b277c623369c25-enable-scim.png" />

2. Go to the **Provisioning** tab, then **Integration** on the left sidebar.

3. In the **SCIM connector base URL** field, enter the base URL of your Opal instance. For example, the Base URL field for the Opal Cloud instance is [https://app.opal.dev/scim/v2](https://app.opal.dev/scim/v2). Be sure to append `/scim/v2` to the base domain name.

4. Enter a unique identifier field for users, e.g., `userName`.

5. Under **Supported provisioning actions**, enable your preferred features.

6. Choose **HTTP Header** in the **Authentication Mode** section. In the **Token** field, enter the API token generated from Opal from the previous step.

7. Click **Save**.

   <img src="https://mintcdn.com/opalsecurity/IYR8LXPWsg1xVx7J/images/docs/e5f985d6f4dd91f0985106582c19df86e2378d99ed030fc7d2ff3e7f332c1979-Screenshot_2025-09-18_at_11.42.06_pm.png?fit=max&auto=format&n=IYR8LXPWsg1xVx7J&q=85&s=6b77e9656aa5c927dab5a708681b04de" alt="" width="2034" height="1332" data-path="images/docs/e5f985d6f4dd91f0985106582c19df86e2378d99ed030fc7d2ff3e7f332c1979-Screenshot_2025-09-18_at_11.42.06_pm.png" />

8. In the **To App** tab, make sure Create New Users is enabled

   <img src="https://mintcdn.com/opalsecurity/ZDxVofZEYmd5qZtN/images/docs/1f098d0256877d2d73288847e5a49028e6a1b3edbf527354fe5005547c1a992d-Screenshot_2025-09-18_at_9.39.35_pm.png?fit=max&auto=format&n=ZDxVofZEYmd5qZtN&q=85&s=40fa9658f8e011953a32fa4981c15cd1" alt="" width="2100" height="1236" data-path="images/docs/1f098d0256877d2d73288847e5a49028e6a1b3edbf527354fe5005547c1a992d-Screenshot_2025-09-18_at_9.39.35_pm.png" />

## Troubleshooting

We do not support propagation of updates of the username/email of an Okta user to Opal.

***