Public setup guide

Atomation Okta SSO & SCIM Setup Guide

Connect your Okta org to Atomation so your team signs in with SAML 2.0 SSO and is provisioned or deprovisioned automatically with SCIM 2.0.

Last updated: June 19, 2026

Before You Start

Atomation creates your workspace and your first administrator when you purchase. Your IAM team then completes the steps below to roll out access to everyone else.

SAML handles sign-in. SCIM provisioning and Group Push handle Atomation user lifecycle and role membership. There is no SAML group attribute to configure during onboarding.

You will need your Atomation tenant subdomain. It is shown in your Atomation welcome email and in Settings -> Workspace.

1. Add the Atomation App

  1. In the Okta Admin Console, go to Applications -> Browse App Catalog.
  2. Search for Atomation and click Add Integration.
  3. When prompted for the per-tenant value, enter your Atomation tenant subdomain, such as acme. This points the app at your Atomation workspace.

2. Single Sign-On (SAML 2.0)

The integration ships preconfigured. Confirm these values, then finish SCIM provisioning before assigning users.

Supported features

The Atomation Okta SAML integration currently supports the following features:

  • SP-initiated SSO - sign-in started from the Atomation workspace.
  • IdP-initiated SSO - sign-in started from the Okta dashboard chiclet.
  • JIT (Just-In-Time) provisioning - a user account is created or updated in Atomation on first SAML sign-in.
Setting Value
Single Sign-On (ACS) URL https://TENANT-SUBDOMAIN.atomation.io/auth/saml/acs
Audience / SP Entity ID https://TENANT-SUBDOMAIN.atomation.io/saml/metadata
Name ID format Unspecified
Application username Okta username
Assertion signature Signed, SHA-256

Finish SAML setup in Atomation

  1. In the Okta Admin Console, go to Applications -> Applications, search for the Atomation app you added from the Okta Integration Network catalog, open it, then select the Sign On tab.
  2. Click View SAML setup instructions, then copy the Metadata URL.
  3. In Atomation, sign in to https://TENANT-SUBDOMAIN.atomation.io and go to Security -> SSO.
  4. Paste the Okta Metadata URL, then click Save & verify.

3. SCIM Provisioning (Automatic User Lifecycle)

SCIM keeps Atomation access in sync with your directory by creating, updating, and deactivating users automatically. Atomation shows the exact tenant-specific SCIM Base URL during onboarding Step 5 and later in Security -> SCIM provisioning.

SCIM Lifecycle Features

  • Create Users
  • Update User Attributes
  • Deactivate Users
  • Group Push / Group Linking

Steps to Configure SCIM

  1. Copy the Base URL and generate a provisioning token in Atomation: sign in to https://TENANT-SUBDOMAIN.atomation.io, go to Security -> SCIM provisioning (or onboarding Step 5), click Generate token, and copy it. The token is shown once.
  2. In the Okta Atomation app, go to Provisioning -> Configure API Integration.
    • Check Enable API integration.
    • Base URL: use the exact URL shown in Atomation, for example https://TENANT-SUBDOMAIN.atomation.io/scim/v2
    • API Token: paste the token from step 1. Okta sends it as Authorization: Bearer <token>.
    • Click Test API Credentials. It should report success.
  3. Under Provisioning -> To App, enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  4. Still under Provisioning -> To App, verify the Attribute Mappings:
    • userName - user email
    • name.givenName - first name
    • name.familyName - last name
    • email - user email
    • emailType - work

Group Linking – assign Atomation roles from Okta groups

You can drive a user's Atomation role with Okta Push Groups. Atomation publishes one role-group for each role – Admin, Security Admin, Org Admin, Developer, Viewer, User – and you link an Okta group to the role-group whose role it should grant. Membership of the linked group sets the role; removing a user re-computes their role (falling back to User when they belong to no linked role-group). Your Okta group can be named anything – the role comes from which Atomation role-group you link to.

  1. Confirm SCIM provisioning is enabled and the API credential test succeeds.
  2. On the Push Groups tab, click Refresh App Groups to import Atomation's published role-groups (Admin, Viewer, …) so they appear as link targets.
    If you don't see the Refresh App Groups button: re-check that Enable API integration is on under Provisioning, then reload the page.
  3. Open Group Push Settings (the gear icon on the Push Groups tab) and uncheck “Rename app groups to match group name in Okta” → Save.
  4. + Push Groups → Find groups by name. Search the Okta group you want to grant a role.
  5. In Match result & push action, choose Link Group and select the Atomation role-group (for example Admin) – not Create Group – then Save.

Okta then provisions the group's members into Atomation and grants them the linked role.

Assign Users After SCIM Is Ready

Assign users only after SCIM is enabled, API credentials test successfully, and role groups are linked. If a user is assigned before Okta provisions them, their first sign-in can fail. To recover, remove the app assignment, wait for provisioning to complete, then add the assignment again.

Recommended approach: create one Okta group for app access, for example Atomation App Access, and assign the Atomation app to that group under Assignments. Use Okta Group Rules to add users to that single app-assignment group based on the source or role groups you use for SCIM Group Push. Keep the SCIM pushed groups linked to Atomation role-groups such as Admin, Viewer, or User.

4. Support

  • Email: [email protected]
  • Include your Atomation tenant subdomain and the Okta event or correlation ID when reporting an issue.

Atomation LLC - Okta SSO & SCIM integration.