🔐 Configuring SCIM on Okta for AskNicely

SCIM (System for Cross-domain Identity Management) allows Okta to automatically provision and manage users in AskNicely.

Follow this step-by-step guide to configure SCIM for your organization.

✅ What You'll Need

Before you begin, ensure the following prerequisites are met:

• ✅ Administrator access to your AskNicely account

• ✅ Administrator access to your Okta organization

• ✅ Completed SAML configuration between Okta and AskNicely

📘 Need help with SAML? Refer to our SAML step-by-step guide

🎯 What You'll Achieve

After completing these steps, you’ll be able to:

• Automatically provision users via Okta

• Manually assign roles and access levels in AskNicely

• Enable advanced provisioning using location-based access and role mapping

🔧 Step 1: Enable SCIM in AskNicely

1. Log in to AskNicely as an Admin.

2. Navigate to Settings > Users.

3. Go to your SCIM settings at:

   https://<YOUR-TENANT-NAME>.asknicely.site/scim/settings

4. Copy the SCIM Base URL and SCIM Token—you’ll use these in Okta.

⚙️ Step 2: Configure SCIM in Okta

1. Log in to Okta as an Admin.

2. Go to Applications > Applications.

3. Search for and select: SCIM 2.0 Test App (Header Auth).

4. Click Add Integration.

5. Accept default settings (or customize them), then complete the install.

6. Navigate to the Provisioning tab and click Configure API Integration.

7. Check Enable API Integration.

8. Paste the SCIM Base URL and SCIM Token from AskNicely.

9. Click Test API Credentials → ✅ Success? Click Save.

10. Under “Provisioning to App,” enable:

    • ✔️ Create Users

    • ✔️ Update User Attributes

    • ✔️ Deactivate Users

🔄 Step 3: Configure User Provisioning Scenarios

Scenario 1: Users Provisioned Automatically, Roles Set Manually in AskNicely

Manage Users in AskNicely.

Add users manually in AskNicely configuration page via Settings > Users. Assign roles, permissions, and data access manually here.

User Login

When users attempt to log in via Okta/Google with the same email as the email assigned when the user is created, SSO will grant them access.

Result

No automated user creation.
Roles and data access must be configured directly in AskNicely.

Scenario 2: Users Provisioned Automatically with Location-Based Data Access

For organizations where user roles and location-based data access must be determined automatically, you can use advanced attribute mappings from Okta to pass role and location information directly to AskNicely.

Prerequisites

• Confirm with AskNicely Support that your plan supports SCIM or advanced JIT provisioning with role and location attributes.

• Determine which Okta attributes (e.g., department, location, groups, or custom attributes) will map to AskNicely roles and locations.

• You may need a predefined mapping schema from AskNicely (e.g., askNicelyGroup and askNicelyFilter_key attribute names) to ensure these values can be interpreted correctly.

Steps

Configure Attribute Mappings in Okta

Go to Directory > Profile Editor > SCIM 2.0 Test App (Header Auth) User

b. Create three new attributes:

askNicelyGroup

• Data type: string

• Display name: AskNicely Group (or any name that makes sense to you).

• Variable name: askNicelyGroup

• External name: askNicelyGroup

• External namespace: urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User

• Description: User Role in AskNicely (or whatever makes sense to you).

• Attribute type: Group

askNicelyFilter_key

• Data type: string

• Display name: AskNicely Filter Name (or any name that makes sense to you).

• Variable name: askNicelyFilter_key (note the .)

• External name: askNicelyFilter.key (note the _)

• External namespace: urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User

• Description: Name of custom data field (for the user locked filter) in AskNicely (or whatever makes sense to you).

• Attribute type: Group

askNicelyFilter_value

• Data type: string

• Display name: AskNicely Filter Value (or any name that makes sense to you).

• Variable name: askNicelyFilter_value (note the .)

• External name: askNicelyFilter.value (note the _)

• External namespace: urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User

• Description: Value of custom data field (for the user locked filter (what can this user see in AskNicely?) (or whatever makes sense to you).

• Attribute type: Personal

You should now see those three new fields in the list of fields for this app.

Update the mapping [App → Provisioning → To App → Attribute Mappings]

• askNicelyFilter_value should map to the profile field containing the locked value for this user

• askNicelyFilter_value and askNicelyGroup should be “Same value for all user” and set to a simple dot . - this will be overwritten in the Group assignment during the next step.

When assigning Groups to this app, make sure you enter the values as group level values.

Result

Users are created automatically on first login.
Roles and location-based access are automatically assigned according to attributes passed from Okta, reducing manual administration.

By completing these steps, you will have a fully integrated SCIM and SAML solution for managing user access and data permissions in AskNicely through Okta.

📞 Questions?

If you need help with attribute mapping or would like assistance setting up SCIM + SAML together, please reach out to support@asknice.ly or use the chat in the bottom-right corner of your AskNicely dashboard.