How does Okta work with Envoy?
If your team uses Okta for employee provisioning, you can use this app to automatically keep your Envoy employee directory up to date. The SCIM push-based system treats the Okta directory as your source of truth. When changes are made in Okta, they push immediately to Envoy, so you don’t have to worry about the Envoy employee directory being out of sync with Okta.
Note: You can manually create new employees or add employees from other locations while maintaining your directory sync. This feature is helpful for contractors, temps or other people who may host visitors/receive deliveries but are not core team members. Learn more about manually adding employees.
To learn more about single sign-on, read our SAML guide.
The SCIM standard enables advanced provisioning in order to automate user lifecycle management for an application, including account creation, profile updates, authorization settings, and account deactivation.
Supported Features
Create users
Update user attributes
Deactivate users
Group push
Employee provisioning
Step One: Make sure you have LCM in Okta and your employees are setup to use it as a directory application in Envoy.
You’ll also need to have Okta application administrator privileges or higher to complete this setup. To learn more about Okta’s administrator role structure, please view their admin guide. Either become an admin or ask your admin in IT for help before completing these steps.
Step Two: Prepare to enable Envoy with Okta
Decide whether you’d like to sync all users to all locations or sync specific users per location. This will impact how you set up the app.
Sync all users: This is good for companies with one location, or if you prefer to have the same master Envoy employee directory at all locations within your company.
Sync specific users per location: Choose this option if you’d like to sync certain Okta users to certain locations (i.e., creating different Envoy employee directories per location). You can filter employees by location in Envoy based on available filters sent from Okta, which are currently “city” and “locale.”
Step Three: Enable Envoy + Okta
Note: You’ll need to be an admin on your Okta account and a Global Admin in Envoy to complete this setup. Either become an admin or ask your admin for help before completing these steps.
On the Envoy dashboard, go to your Apps page.
Under Directory and SSO, click Directory settings.
Click Install under Okta.
Choose from one of the two following options for syncing employees to your directory.
Take note of your OAuth Bearer Token. You will need to add this to Okta in the next step. You can always Regenerate a new token if needed.
Step Four: Configure Okta settings
In your Okta account, request a new application for Envoy. To do this, you’ll need to be an Okta admin. Navigate to Applications > Applications > Browse App Catalog.
From the Envoy application, go to the Okta provisioning page, and click “Configure API Integration.”
Copy the OAuth Bearer Token from Envoy and enter it in the API Token field in Okta.
Check the "Enable API Integration"
Test API connect > Save.
Make sure that “Create Users,” “Update User Attributes,” and “Deactivate Users” are all set to enable (box checked).
Click “Save” at the bottom of the Okta provisioning page.
✨Paste the bearer token into Okta before provisioning groups/users to the Envoy application!✨
Go to the Okta groups page.
Click “Assignments,” and select all employees or groups you’d like to sync to the Envoy employee directory.
We recommend selecting “Everyone,” but you can also assign individual employees from the Okta people page.
Navigate back to the Envoy Employee directory > All employees and refresh. Your employees should have imported automatically. (This can take ~30 minutes for the first sync)
Important notes:
Adding employees
When updating or adding employees, Envoy will match based on the primary email address listed for the Okta user. If the primary email address is not found in Envoy, a new employee will be added to the Envoy employee directory.
Employee contact information
The primary email address and phone number listed in Okta will be the email address and phone number listed in the Envoy employee directory.
If an Okta user does not have a primary email address, they will not be synced to the Envoy employee directory.
Adding Envoy Assistants from Okta
Go to your Okta Directory.
Select the employee to which you’d like to assign an assistant.
Go to their Profile tab and click “edit.”
Scroll all the way to the bottom; find Assistants, and click “Add another.”
✨If the Assistants field isn’t already part of your Okta user profile, you will need to add this field to support syncing assistants via user provisioning. Here’s how: In Okta, go to Directory > Profile Editor > Okta and click “Profile.” Click “Add attribute.” Set up the Assistants profile attribute as a string array, as depicted below. ✨Type in the assistant’s email address, and click “Save.”
If you need to add multiple assistants, repeat steps four and five.
Go to the Applications tab and select Envoy application.
Click “Provisioning” and scroll down to “Show Unmapped Attributes”.
Select pen to edit assistants, set “Attribute value” equal to “Expression”, enter “
user.assistants
” into text field, and assign radio button to “create and update” for Apply On.Check your Envoy employee directory, and your assistants should be automatically assigned.
Note: If you plan to assign assistants manually within the web dashboard, please reach out to Envoy Support prior to setting up SCIM syncing to configure this on your account.
Troubleshooting Okta
Users not pulling through
If you notice that your users are not syncing to the Envoy Employee Directory, go to the Provisioning tab, remove all groups/users provisioned, then add them back.
This will kickstart the sync and you should start to see users within ~5 minutes.
Still not syncing
Go into your Okta Envoy application instance and remove all users/groups from the Provisioning tab
Then, on the Envoy web dashboard, go to Envoy Apps > Directory & SSO > Click "Configure" on Okta > Click "Regenerate token"
Go back to Okta's Envoy application > Provisioning tab > Integration section > Edit > and paste the new bearer token.
Go into "To App" and re-add all users/groups
✨You should see your employees in Envoy's Employee directory within 30 minutes.✨
Assistants do not appear in Envoy even though they are mapped
Ensure that the assistant is also in the users being provisioned into Envoy
Go to the Profile editor on Okta's provisioning page and click the pencil icon on the Assistants expression, it should look as follows:
You will want to be sure that the Variable name and the External namespace look like the above screenshot.
The Variable name will be slightly different but be in the format of
envoy_xxxxxx.assistants
If the Variable name does not look like the above screenshot, your assistant mapping will not send assistants to Envoy. Please de-activate Envoy in Okta and re-generate your OAuth Bearer Token in Envoy (Apps > Directory and SSO > Configure on Okta > Regenerate token)
Follow the steps listed here to set up a new instance of Envoy in Okta.
Admin Provisioning
Envoy makes it easy for Enterprise customers to automatically provision their admin users from Okta using SCIM groups.
IMPORTANT NOTES:
If you are not using Envoy (SCIM 2.0) in Okta, please upgrade the application.
To check which version of Envoy you are using or to upgrade your app, navigate to Applications > Browse app catalog in your Okta account and search for Envoy (SCIM 2.0).
Click Add Integration in the top right (if you do not have this installed already.
Be sure to configure the Envoy (SCIM 2.0) app in exactly the following order:
General settings
Set the application label and click next.
Sign-On Options
Click SAML 2.0.
Click view setup instructions.
Follow the setup instructions. Note: this will prevent users from signing in until provisioning and assignment is complete.
Set up provisioning (BEFORE assigning to app)
Click the Provisioning tab.
Click Configure API integration.
Enable the API integration checkbox.
Go to the Envoy dashboard to get the OAuth bearer token with the following steps.
Go to envoy dashboard → Click Apps in the left nav → Click the Directory/SSO tab → Click ‘configure’ under the Okta app.
Copy OAuth Bearer Token.
Paste in OAuth Bearer Token in Okta.
Click ‘Test API credentials’.
If successful, click Save.
Click the Edit button (to the right of ‘Provisioning to App’ header)
Click enable for Create, Update and Deactivate checkboxes and then click save.
Set up assignments
Click the Assignments tab.
Click Assign.
Assign people or groups.
Deactivate previous Envoy 1.1 app in Applications/Applications
On old app instance, go to Provisioning tab → Settings → API.
Click on Edit and uncheck Enable API Integration. Click Save.
Go ahead and deactivate the old AppName app instance.
Sync admins
Create groups as needed in Okta and assign users to those groups. Here’s additional information on how to create groups in Okta.
Sync your directory with Envoy. You can follow these instructions, if you have not already set up your integration with Envoy.
After you've configured Okta with Envoy, navigate to Employee directory > Admin roles.
Click on Sync Settings at the top of the page.
Under Sync admins, select the group you want to assign roles to.
Select an Envoy role and one or more location from the dropdown menu for each group you want to provision. (The list of group names are pulled from Okta.)
Click Add > Done.
Admin Provisioning FAQ
Admins can only have one location role and one company role using SCIM.
Location roles:
Location admin
Front desk admin
Deliveries
Security admin
Company roles:
Global admin
Billing admin
Envoy will give admins the higher role assigned. For example, If a user is in multiple groups in Okta and each group is mapped to two different location roles (Front Desk Admin and Location Admin), then the admin will be assigned the Location Admin role.
If you already have manual entries in the directory and sync with a SCIM, this will take over and delete the manual entries.
Synced roles will take priority over manual only if the synced role has higher priority permissions. If you have a front desk admin role (manual) and you are SCIM mapped to the security admin role, you will still have a manual front desk admin role for that location.
If you disconnect Okta, your roles will turn into manual roles and will stop syncing. Your mappings won't be saved and you will start from scratch the next time you sync with a SCIM.
You cannot manually delete synced roles. You must remove that person from the Okta group first.
If you are not seeing the roles you are looking for, be sure to check the filters at the top of the page.