Introducing Frankie — your AI coworker, in your inbox

Set Up Okta SCIM Provisioning

Last updated April 6, 2026

This guide walks you through configuring SCIM provisioning between Okta and Compound. After setup, users assigned to the Compound app in Okta are automatically added to your Compound team, and users removed from the app are automatically deprovisioned.

Prerequisites

  • Your team must have Okta SSO configured (either OIDC or SAML). SCIM requires an active SSO configuration.
  • You must be a Team Owner in Compound and an Admin in Okta.
Important

SCIM cannot be enabled without an active SSO configuration. Complete SSO setup before starting this guide.

Important

Okta only supports SCIM provisioning on SAML and SWA (Secure Web Authentication) app integrations. SCIM cannot be added to an OIDC app in Okta. If your team uses OIDC for SSO, you will need to create a second Okta app (SWA) dedicated to SCIM provisioning. See the next section for details.

Choosing where to configure SCIM

How you set up SCIM in Okta depends on which SSO protocol your team uses:

  • SAML SSO — SCIM can be enabled directly on the same Okta app you use for single sign-on. Skip ahead to Enable SCIM in Compound and copy credentials.
  • OIDC SSO — Because Okta does not support SCIM on OIDC apps, you need to create a separate SWA app in Okta that handles provisioning only. Your existing OIDC app continues to handle sign-in. Follow the steps below to create the SWA app first, then proceed with the rest of the setup.

Creating a separate SWA app for SCIM (OIDC teams only)

If your team uses OIDC SSO, follow these steps to create a dedicated SWA app for SCIM provisioning:

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Applications in the left sidebar.
  3. Click Create App Integration.
  4. Select SWA - Secure Web Authentication as the sign-on method and click Next.
  5. Fill in the following fields:
    • App name: Enter Compound SCIM (or any name that distinguishes it from your OIDC app).
    • App’s login page URL: Enter https://app.getcompound.com (this is a placeholder — the SWA app is used for provisioning only, not sign-in).
  6. Click Finish.

The SWA app is now created. You will configure SCIM on this app in the steps below.

Important

With the two-app setup, users must be assigned to both Okta apps: the OIDC app (for sign-in) and the SWA app (for provisioning). If a user is only assigned to the OIDC app, they can sign in but will not be auto-provisioned. If a user is only assigned to the SWA app, they will be provisioned but cannot sign in via SSO. The easiest approach is to assign the same group to both apps.

Setup procedure

In the steps below, “your Compound application” refers to:

  • Your SAML app if you use SAML SSO (single app handles both SSO and SCIM).
  • Your SWA app (e.g., “Compound SCIM”) if you use OIDC SSO (the OIDC app remains unchanged).

Enable SCIM in Compound and copy credentials

  1. In Compound, navigate to Settings > Team.
  2. Scroll to the SCIM Provisioning section.
  3. Click Enable SCIM.
  4. Compound generates a SCIM Endpoint URL and a Bearer Token. Copy both values immediately.
Important

The bearer token is displayed only once. Copy it now and store it securely. If you lose it, you can rotate it later from the SCIM Provisioning section, but you will need to update Okta with the new token.

Enable SCIM provisioning in Okta

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Applications and select your Compound application (the SAML app or the SWA app you created for SCIM).
  3. Click the General tab.
  4. In the App Settings section, click Edit.
  5. Under Provisioning, select SCIM and click Save.
  6. A new Provisioning tab appears on the application.

Configure the SCIM connection in Okta

  1. Click the Provisioning tab on your Compound application.
  2. Click Integration in the left sidebar (under Settings).
  3. Click Edit to configure the SCIM connection.
  4. Fill in the following fields:
    • SCIM connector base URL: Paste the SCIM Endpoint URL from Compound.
    • Unique identifier field for users: Enter userName.
    • Supported provisioning actions: Check Push New Users and Push Profile Updates.
    • Authentication Mode: Select HTTP Header.
  5. In the HTTP Header section, paste the Bearer Token from Compound into the Authorization field.
  6. Click Test Connector Configuration to verify the connection. You should see a success message.
  7. Click Save.
Tip

If the test fails, double-check that the SCIM Endpoint URL ends with a trailing slash and that the bearer token was copied correctly with no extra spaces.

Enable provisioning features

  1. On the Provisioning tab, click To App in the left sidebar.
  2. Click Edit.
  3. Enable the following:
    • Push New Users — Okta will provision new users to Compound when they are assigned to the app.
    • Push Profile Updates — Okta will push profile changes (such as display name) to Compound.
  4. Click Save.
Note

Okta also offers Import New Users and Profile Updates, Push Groups, and Import Groups. These are not required for basic SCIM provisioning. User deprovisioning happens automatically when you unassign a user from the app in Okta.

Assign users and groups

  1. Click the Assignments tab on your Compound application.
  2. Click Assign and select either Assign to People or Assign to Groups.
  3. Select the users or groups you want to provision to Compound, then click Done.

Okta will immediately push a SCIM create request for each assigned user. Within a few moments, those users will appear as Members of your Compound team.

Note

OIDC teams: Remember to assign the same users or groups to your OIDC app as well, so they can sign in via SSO. The SWA app handles provisioning only.

Verify provisioning

  1. In Compound, navigate to Settings > Team.
  2. Scroll to the Members section.
  3. Confirm that the users you assigned in Okta now appear as team members with the Member role.
Tip

If users do not appear, check the Okta System Log (Reports > System Log) for provisioning errors. Common issues are listed in the Troubleshooting section below.

Troubleshooting

”Test API Credentials” fails in Okta

  • Verify the SCIM connector base URL matches the endpoint URL shown in Compound exactly, including the trailing slash.
  • Verify the Bearer Token is correct. If you are unsure, rotate the token in Compound (Settings > Team > SCIM Provisioning > Rotate Token) and enter the new one in Okta.
  • Ensure the Compound team still has SSO configured. SCIM authentication will fail if SSO has been removed.

No Provisioning option on the General tab

Okta only supports SCIM on SAML and SWA app integrations. If your Compound app is an OIDC app, you will not see a Provisioning dropdown on the General tab. Create a separate SWA app for SCIM as described in Creating a separate SWA app for SCIM.

Users are not being provisioned

  • Check that Push New Users is enabled under Provisioning > To App in Okta.
  • Check the Okta System Log (Reports > System Log) for errors related to the Compound app.
  • Verify the user is actually assigned to the Compound application in the Assignments tab.
  • You may have to refresh the page in Compound to see the updated member list.
  • OIDC teams: Make sure you are checking assignments on the SWA app, not the OIDC app. SCIM runs from the SWA app.

”User is already a member of a different team”

A user can only belong to one Compound team at a time. If Okta tries to provision a user who is already a member of a different team, the request will be rejected with a 409 conflict error. The user must leave their current team before they can be provisioned to yours.

Users are not being deprovisioned

  • Deprovisioning happens when you unassign a user from the app in Okta. Check that the user was actually unassigned in the Assignments tab.
  • Team Owners cannot be deprovisioned via SCIM. If the user is the Team Owner, the request will be rejected.
  • Deprovisioning removes users from the team but does not delete their account.

Users are provisioned but cannot sign in (OIDC teams)

If you are using the two-app setup (OIDC + SWA), make sure the user is assigned to both apps. The SWA app provisions users to Compound, but the OIDC app is required for SSO sign-in. Assign the same group to both apps to keep them in sync.

Bearer token expired or lost

If the bearer token was not copied when it was first generated, or if it has been compromised:

  1. Go to Settings > Team > SCIM Provisioning in Compound and click Rotate Token.
  2. Copy the new token.
  3. In Okta, go to Provisioning > Integration > Edit and update the Authorization header with the new token.
  4. Click Test API Credentials to confirm the new token works.