Configuring SCIM Provisioning for Mixpanel with Okta
Troubleshooting and Tips
The following provisioning features are supported:
- New users created through Okta and assigned to the application will be created in Mixpanel
- Updates made to the assigned user's supported profile attributes (First Name, Last Name, Email) through Okta will be pushed to Mixpanel
- Deactivating the user or removing the user from the application through Okta will deactivate the user in Mixpanel (or delete the account if specified)
- Map groups in Okta to “Teams” in Mixpanel, along with memberships.
- Sync Mixpanel users to Okta
- Sync Mixpanel groups to Okta
- You must have an active Enterprise plan subscription with Mixpanel.
- Before you set up provisioning with Mixpanel, you will need to have first SSO with Mixpanel
- The “Username” value in Okta must be an email address with a domain that you’ve claimed
- You need to have generated a SCIM OAuth token to use with the app. Located in the “Access Security” tab of your organization settings. You will need to be an org admin to access this. See screenshots below:
In the "Sign On" tab, set the 'Application username format' to 'Email'. Click "Save".
Click the “Configure API Integration” button to begin.
Check the “Enable API Integration” box, then enter your SCIM token
Provisioning > To App
Select the supported features (Create/Update/Deactivate) you wish to enable:
The following profile attributes are required to be sent from Okta to Mixpanel:
- Given name
- Family name
- Primary email
Select and assign the users you wish to provision:
Troubleshooting and Tips
- In Mixpanel, upon account creation, a SCIM-provisioned user will be added to the organization with the organization “Member” role. The organization role for provisioned users can be changed by an organization admin within Mixpanel.
- If a user is provisioned with attributes we do not expect, we will fail the request. Refer to the “profile attributes” section above to see which attributes we require.
- If an Mixpanel account has already been created with the Okta user’s email (their Okta Username) and that account is not a member of your Mixpanel organization, provisioning setup for that Okta user will fail. It will also fail if the domain of the user’s email has not been claimed by your organization.
- Manually invite the existing user to your organization - this is so that someone cannot sneak their way into your organization by creating an account with an email that you were trying to provision.