Configure SCIM with Okta

See the following instructions to synchronize your Datadog users with Okta using SCIM.

For the capabilities and limitations of this feature, see SCIM.

Prerequisites

SCIM in Datadog is an advanced feature available with the Infrastructure Pro and Infrastructure Enterprise plans

This documentation assumes your organization manages user identities using an identity provider.

Datadog strongly recommends that you use a service account application key when configuring SCIM to avoid any disruption in access. For further details, see using a service account with SCIM.

When using SAML and SCIM together, Datadog strongly recommends disabling SAML just-in-time (JIT) provisioning to avoid discrepancies in access. Manage user provisioning through SCIM only.

  1. In your Okta portal, go to Applications
  2. Click Browse App Catalog
  3. Type “Datadog” in the search box
  4. Select the Datadog application
  5. Click Add Integration

Note: If you already have Datadog configured with Okta, select your existing Datadog application.

Configure automatic user provisioning

  1. In the application management screen, select Provisioning in the left panel
  2. Click Configure API integration.
  3. Select Enable API integration.
  4. Complete the Credentials section as follows:
    • Base URL: https:///api/v2/scim Note: Use the appropriate subdomain for your site. To find your URL, see Datadog sites.
    • API Token: Use a valid Datadog application key. You can create an application key on your organization settings page. To maintain continuous access to your data, use a service account application key.
Okta Admin Credentials configuration screen
  1. Click Test API Credentials, and wait for the message confirming that the credentials are verified.
  2. Click Save. The settings section appears.
  3. Next to Provisioning to App , select Edit to enable the features:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  4. Under Datadog Attribute Mappings, find the mapping of Okta attributes to Datadog attributes already pre-configured. You can re-map them if needed, but map the Okta values to the same set of Datadog values.

Configure automatic team provisioning

The Managed Teams feature is turned off by default. Request access by contacting support.

Request Access

With Managed Teams, you control the core provisioning of a Datadog Team — its name, handle, and membership — through the identity provider. The setup process differs depending on whether the team already exists in Datadog.

Note: Users must exist in Datadog before you can add them to a team. Therefore, you must assign users to the Datadog app in Okta to ensure that they are created in Datadog through SCIM. Assign the Datadog application to your Okta group to ensure that all team members are created in Datadog automatically.

Create a new team in Datadog

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
    Okta pushed groups configuration interface
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to push to Datadog.
  4. In the Match result & push action column, ensure Create group is selected.
  5. Click Save.

To verify that the operation completed successfully, navigate to the Teams list in Datadog. Search for a Datadog Team matching the Okta group you configured. Verify that the team exists in Datadog and is managed externally. It may take a minute or two before the team appears in Datadog.

Datadog team list showing a team called Identity team that is managed externally.

Synchronize an existing Datadog Team with an Okta group

You can map an existing Datadog Team to an Okta group. Establishing a link from the Okta group to the Datadog Team causes the Datadog Team to be managed by Okta going forward.

Note: In order to synchronize an existing Datadog Team with an Okta group, the two names must match exactly.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to synchronize with a Datadog Team.
  4. In the Match result & push action column, ensure Create group is selected.
  5. Click Save.

Note: When you select Create group, Okta displays a No match found message. You can ignore this message and proceed with creating the group to establish synchronization.

Delete the connection between an Okta group and a Datadog Team

You have two options for disconnecting an Okta group from a Datadog Team, with different impacts on the Datadog Team membership.

Keep team members in Datadog

This procedure allows you to manage team membership in Datadog instead of Okta. The team members stay unchanged.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to unlink from its Datadog Team.
  4. In the Match result & push action column, select Unlink Pushed Group. A dialog box appears.
  5. Select Leave the group in the target app.
  6. Click Unlink.
  7. Click Save.

Remove team members from Datadog

This procedure allows you to manage team membership in Datadog instead of Okta and removes the team members from the Datadog Team.

  1. In your Datadog application in Okta, navigate to the Push Groups tab.
  2. Click the Push Groups button. The pushed groups interface opens.
  3. Select the Okta group you want to unlink from its Datadog Team.
  4. In the Match result & push action column, select Unlink Pushed Group. A dialog box appears.
  5. Select Delete the group in the target app (recommended).
  6. Click Unlink.
  7. Click Save.

Note: Contrary to the name of the option, selecting Delete the group in the target app does not delete the team in Datadog. Instead, it removes all members from the team and removes the link between the group in Okta and the Datadog Team.

Further Reading

Additional helpful documentation, links, and articles:

User Provisioning with SCIMDOCUMENTATION more more Group Attribute MappingDOCUMENTATION more more