Docs/SCIM basics plus okta

fern/docs.yml

@@ -30,6 +30,12 @@ navigation:
         path: ./pages/ssoready-concepts/saml-connections.mdx
       - page: Login Flows
         path: ./pages/ssoready-concepts/login-flows.mdx
+      - page: SCIM Directories
+        path: ./pages/ssoready-concepts/scim-directories.mdx
+      - page: SCIM Users
+        path: ./pages/ssoready-concepts/scim-users.mdx
+      - page: SCIM Groups
+        path: ./pages/ssoready-concepts/scim-groups.mdx
   - section: Self-Hosting
     contents:
       - page: Self-Hosting SSOReady
@@ -44,16 +50,28 @@ navigation:
         path: ./pages/self-service-admin/self-service-admin.mdx
       - section: Guides for common identity providers
         contents:
-          - page: Entra (formerly Azure AD)
-            path: ./pages/idp-config-tutorials/entra.mdx
-          - page: Okta
-            path: ./pages/idp-config-tutorials/okta.mdx
-          - page: Google
-            path: ./pages/idp-config-tutorials/google.mdx
-          - page: JumpCloud
-            path: ./pages/idp-config-tutorials/jumpcloud.mdx
-          - page: PingOne
-            path: ./pages/idp-config-tutorials/ping.mdx
+          - section: Entra (formerly Azure AD)
+            contents:
+            - page: SAML with Entra
+              path: ./pages/idp-config-tutorials/entra/entra_sso.mdx
+          - section: Okta
+            contents:
+            - page: SAML with Okta
+              path: ./pages/idp-config-tutorials/okta/okta_sso.mdx
+            - page: SCIM with Okta
+              path: ./pages/idp-config-tutorials/okta/okta_scim.mdx
+          - section: Jumpcloud
+            contents: 
+              - page: SAML with Jumpcloud
+                path: ./pages/idp-config-tutorials/jumpcloud/jumpcloud_sso.mdx
+          - section: Google
+            contents:
+              - page: SAML with Google
+                path: ./pages/idp-config-tutorials/google/google_sso.mdx
+          - section: Ping identity
+            contents:
+              - page: SAML with Ping identity
+                path: ./pages/idp-config-tutorials/ping/ping_sso.mdx
 
 navbar-links:
   - type: primary

fern/pages/idp-config-tutorials/entra.mdx → fern/pages/idp-config-tutorials/entra/entra_sso.mdx

@@ -1,6 +1,7 @@
 ---
-title: 'SSO with Entra'
+title: 'SAML with Entra'
 description: 'How to set up SSOReady connections with Entra (formerly Azure Active Directory)'
+noindex: false
 ---
 
 {/* ==================================================== */}

fern/pages/idp-config-tutorials/google.mdx → fern/pages/idp-config-tutorials/google/google_sso.mdx

@@ -1,6 +1,7 @@
 ---
-title: 'SSO with Google Identity'
+title: 'SAML with Google Identity'
 description: 'How to set up SSOReady connections with Google Identity'
+noindex: false
 --- 
 
 {/* ==================================================== */}

fern/pages/idp-config-tutorials/jumpcloud.mdx → fern/pages/idp-config-tutorials/jumpcloud/jumpcloud_sso.mdx

@@ -1,6 +1,7 @@
 ---
-title: 'SSO with JumpCloud'
+title: 'SAML with JumpCloud'
 description: 'How to set up SSOReady connections with JumpCloud'
+noindex: false
 --- 
 
 {/* ==================================================== */}

fern/pages/idp-config-tutorials/okta/okta_scim.mdx

@@ -0,0 +1,184 @@
+---
+title: 'SCIM with Okta'
+description: 'How to set up an SSOReady SCIM directory with Okta'
+noindex: false
+--- 
+
+{/* ==================================================== */}
+{/*                       Okta                           */}
+{/* ==================================================== */}
+
+SCIM (system for cross-domain identity management) allows your application to communicate on a recurring basis with your customer's IDP. You will receive information from your customer regarding the users that should have access to your application -- and which should not. In many cases, you will also receive useful information regarding your users' *attributes*.
+
+SSOReady helps you use SCIM without integrating your product directly with Okta. You will instead integrate with SSOReady, which will communicate with Okta on your behalf.
+
+Connecting SSOReady to your customer's Okta implementation requires that you share two pieces of information with Okta, both of which you'll find in SSOReady:
+1. A **base url** that Okta will perform operations on (e.g. via HTTP PATCH)
+2. A **bearer token** that Okta will include with its requests
+
+
+However, configuring Okta can involve a few more steps. This guide therefore starts by focusing *briefly* on SSOReady and subsequently focuses on Okta configuration.
+
+# Configuring SSOReady
+
+To create a SCIM Directory within SSOReady, you'll first need to create an [Environment](/docs/sso-ready-concepts/environments) and an [Organization](/docs/sso-ready-concepts/organizations). SCIM Directories belong to Organizations. You can create a SCIM Directory for an Organization by navigating to the Organization in SSOReady and selecting *Create SCIM directory*. 
+<Frame caption="Creating a SCIM Directory in SSOReady">
+  <img src="/docs/assets/idp-scim-assets/okta/ssor2.png" />
+</Frame>
+
+From there, you can find the *base URL* and generate the *bearer token* you'll need to give your customer. Hold onto these. 
+
+Currently, you must share both the base URL and the bearer token with your customer directly (e.g. via email). We realize this is not optimal and plan to improve this aspect of the product over time.
+
+SSOReady **does not store bearer tokens**. You will not be able to access the bearer token in SSOReady again. You may at any time, however, replace the existing bearer token with a new one. When you create a new bearer token, you simultaneously invalidate the previous bearer token.
+
+<Frame caption="Capturing the base URL and bearer token from SSOReady">
+  <img src="/docs/assets/idp-scim-assets/okta/ssor1.png" />
+</Frame>
+
+Once you have created a SCIM Directory in SSOReady and taken note of both the base URL and the bearer token, you have finished with SSOReady configuration.
+
+# Configuring Okta
+
+Once there's a SCIM Directory in SSOReady, you can connect that SCIM Directory to your customer's Okta instance.
+
+<Info>
+The following steps will be most relevant to IT administrators. However, SSOReady customers may find this section helpful either as a resource to share with their *own* customers or for development purposes.
+</Info>
+
+Start by navigating to the relevant application in Okta. If you are unsure how to create such an Application, please review [this guide](/docs/idp-configuration/guides-for-common-identity-providers/okta/sso-with-okta) for an in-depth explanation. 
+
+<Frame caption="Visiting an Application in Okta">
+  <img src="/docs/assets/idp-scim-assets/okta/0.png" />
+</Frame>
+
+Make sure you're on the *General* tab and press *Edit* on the *App Settings* card.
+
+<Frame caption="Editing app settings">
+  <img src="/docs/assets/idp-scim-assets/okta/1.png" />
+</Frame>
+
+Make sure the Provisioning box shows a checkmark. By default, Okta leaves this box unchecked.
+
+<Frame caption="Checking the `Enable SCIM provisioning` field">
+  <img src="/docs/assets/idp-scim-assets/okta/3.png" />
+</Frame>
+
+Press *Save* in the lower right corner.
+
+<Frame caption="Pressing save">
+  <img src="/docs/assets/idp-scim-assets/okta/2.png" />
+</Frame>
+
+Navigate to the *Provisioning* tab for the Application.
+
+
+
+<Frame caption = "Navigating to the Provisioning tab">
+  <img src="/docs/assets/idp-scim-assets/okta/4.png" />
+</Frame>
+
+On the *Provisioning* tab, click the *Edit* button toward the top right of the card.
+
+<Frame caption = "Clicking the Edit button">
+  <img src="/docs/assets/idp-scim-assets/okta/6.png" />
+</Frame>
+
+Look for a field marked *SCIM connector base URL*. This will be the *base URL* from the SSOReady configuration. Paste the base URL from SSOReady.
+
+<Frame caption = "Inserting the SCIM connector base URL">
+  <img src="/docs/assets/idp-scim-assets/okta/9.png" />
+</Frame>
+
+Next, look for a field marked *Unique identifier field for users*. We need this to say "email" exactly. SSOReady relies on users' emails as a unique identifier. 
+
+<Frame caption = "Entering 'email' as the unique identifier field">
+  <img src="/docs/assets/idp-scim-assets/okta/8.png" />
+</Frame>
+
+Look for a series of checkboxes labeled *Supported provisioning actions.* You will see five checkboxes. Set your configuration to match the following:
+
+- [x]  Import New Users and Profile Updates
+- [x]  Push New Users
+- [x]  Push Profile Updates
+- [x]  Push Groups
+- [ ]  Import Groups
+
+**Ensure that *Import Groups* remains unchecked.** The SCIM Connection will fail otherwise.
+
+<Frame caption = "Editing the 'Supported provisioning actions'">
+  <img src="/docs/assets/idp-scim-assets/okta/12.png" />
+</Frame>
+
+Now look for a dropdown menu labeled *Authentication Mode*. This must change from its default value to *HTTP Header*.
+
+<Frame caption = "Changing the 'Authentication Mode' to 'HTTP Header'">
+  <img src="/docs/assets/idp-scim-assets/okta/11.png" />
+</Frame>
+
+Now paste the bearer token from SSOReady in the field marked *Authorization*. 
+
+<Frame caption = "Pasting the bearer token from SSOReady">
+  <img src="/docs/assets/idp-scim-assets/okta/20.png" />
+</Frame>
+
+Then once more hit *Save* in the lower right. 
+
+<Frame caption = "Saving edits to the SCIM connection">
+  <img src="/docs/assets/idp-scim-assets/okta/10.png" />
+</Frame>
+
+Now look in the sidebar to the left and find the item marked *To App*. Click this. 
+
+<Frame caption = "Navigating to the setting for provisioning to the app">
+  <img src="/docs/assets/idp-scim-assets/okta/13.png" />
+</Frame>
+
+You'll see four checkboxes. Set them to match the following:
+- [x] Create Users
+- [x] Update User Attributes
+- [x] Deactivate Users
+- [ ] Sync Password
+
+Then press *Save* in the lower right.
+
+<Frame caption = "Saving edits to the SCIM connection">
+  <img src="/docs/assets/idp-scim-assets/okta/16.png" />
+</Frame>
+
+Now navigate to the *Assignments* tab. 
+
+<Frame caption = "Navigating to the 'Assignments' settings">
+  <img src="/docs/assets/idp-scim-assets/okta/15.png" />
+</Frame>
+
+Using the *Assign* dropdown, choose to assign the relevant People (i.e. users) or Groups. This guide uses People.
+
+<Frame caption = "Assigning People to the Application">
+  <img src="/docs/assets/idp-scim-assets/okta/14.png" />
+</Frame>
+
+You'll now see a list of People. For each that you wish to assign to the Application, press the *Assign* button to the right.
+
+<Frame caption = "Starting the assignment flow for a person">
+  <img src="/docs/assets/idp-scim-assets/okta/18.png" />
+</Frame>
+
+You'll have the opportunity to edit this person's attributes, but it's usually fine just to scroll down and press *Save and Go Back*. 
+
+<Frame caption = "Pressing 'Save and Go Back">
+  <img src="/docs/assets/idp-scim-assets/okta/17.png" />
+</Frame>
+
+Unless you wish to add other People to the Application, you can now press *Done*. 
+
+<Frame caption = "Finishing assignment to the Application">
+  <img src="/docs/assets/idp-scim-assets/okta/19.png" />
+</Frame>
+
+Within a few moments, the user will sync in SSOReady. You can see any changes by navigating back to the SCIM Directory's page in SSOReady.
+
+<Note>
+If you assigned users to the Application *before* setting up the SCIM Connection, you may need to instruct Okta to force sync. You can read more [here](https://support.okta.com/help/s/article/How-To-Use-The-Force-Sync-Option?language=en_US).
+</Note>
+

fern/pages/idp-config-tutorials/okta.mdx → fern/pages/idp-config-tutorials/okta/okta_sso.mdx

@@ -1,6 +1,7 @@
 ---
-title: 'SSO with Okta'
+title: 'SAML with Okta'
 description: 'How to set up SSOReady connections with Okta'
+noindex: false
 --- 
 
 {/* ==================================================== */}

fern/pages/idp-config-tutorials/ping.mdx → fern/pages/idp-config-tutorials/ping/ping_sso.mdx

@@ -1,6 +1,7 @@
 ---
-title: 'SSO with Ping Identity'
+title: 'SAML with Ping Identity'
 description: 'How to set up SSOReady connections with PingOne'
+noindex: false
 --- 
 
 {/* ==================================================== */}

fern/pages/idp-config-tutorials/test-account.mdx

@@ -1,6 +1,8 @@
 ---
 title: 'How to set up an IDP test account'
 description: 'Making sure your implementation works properly'
+noindex: false
+nofollow: false
 --- 
 
 {/* ==================================================== */}

fern/pages/quickstart.mdx

@@ -1,6 +1,7 @@
 ---
 title: "Quickstart"
 description: "Start accepting SAML logins this afternoon"
+noindex: false
 ---
 
 # Getting started with SSOReady
@@ -159,9 +160,9 @@ Unfortunately, SAML identity providers (e.g. Okta, Microsoft Entra, Google Works
 terminology for these identical details. To deal with that, we've prepared a separate set of documentation for you to
 follow depending on what identity provider your customer uses:
 
-* [Okta](/docs/idp-configuration/guides-for-common-identity-providers/okta)
-* [Google Workspace](/docs/idp-configuration/guides-for-common-identity-providers/google)
-* [Microsoft Entra](/docs/idp-configuration/guides-for-common-identity-providers/entra-formerly-azure-ad) (aka Microsoft Azure Active Directory, Microsoft Azure AD)
+* [Okta](/docs/idp-configuration/guides-for-common-identity-providers/okta/saml-with-okta)
+* [Google Workspace](/docs/idp-configuration/guides-for-common-identity-providers/google/saml-with-google)
+* [Microsoft Entra](/docs/idp-configuration/guides-for-common-identity-providers/entra-formerly-azure-ad/saml-with-entra) (aka Microsoft Azure Active Directory, Microsoft Azure AD)
 
 In all cases, you're ultimately going to:
 

fern/pages/saml-oauth.mdx

@@ -2,6 +2,7 @@
 title: "SAML over OAuth (SAML NextAuth.js integration)"
 slug: "saml-over-oauth-saml-nextauth-integration"
 subtitle: "Add SAML support to OAuth-based applications, like those using NextAuth.js"
+noindex: false
 ---
 
 If your application relies primarily on OAuth to log users in, such as if you use

fern/pages/scim-quickstart.mdx

@@ -467,8 +467,8 @@ use the same terminology for these identical details. To deal with that, we've
 prepared a separate set of documentation for you to follow depending on what
 identity provider your customer uses:
 
-- [Okta](/docs/idp-configuration/guides-for-common-identity-providers/okta)
-- [Microsoft Entra](/docs/idp-configuration/guides-for-common-identity-providers/entra-formerly-azure-ad) (aka Microsoft Azure Active Directory, Microsoft Azure AD)
+- [Okta](/docs/idp-configuration/guides-for-common-identity-providers/okta/scim-with-okta)
+- [Microsoft Entra](/docs/idp-configuration/guides-for-common-identity-providers/entra-formerly-azure-ad/) (aka Microsoft Azure Active Directory, Microsoft Azure AD)
 
 In all cases, you're ultimately going to:
 

fern/pages/self-hosting.mdx

@@ -1,6 +1,7 @@
 ---
 title: "Self-Hosting SSOReady"
 subtitle: "How to manage SAML entirely in your cloud or your customer's cloud"
+noindex: false
 ---
 
 SSOReady is a free, MIT-licensed way to add SAML support to your app. A free hosted version of SSOReady is available

fern/pages/self-service-admin/self-service-admin.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'Using self-service configuration'
 description: 'Onboarding your customers more smoothly'
+noindex: false
 --- 
 
 {/* ==================================================== */}

fern/pages/ssoready-concepts/environments.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'SSOReady concepts: Environments'
 description: 'Understanding Environments in SSOReady'
+noindex: false
 ---
 
 ### Structuring SSOReady Environments

fern/pages/ssoready-concepts/login-flows.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'SSOReady concepts: Login Flows'
 description: 'Understanding Login Flows in SSOReady'
+noindex: false
 ---
 
 Each time one of your users attempts to log in via SAML, SSOReady will create a *Login Flow*. Login Flows store data related to your user's login attempt. Reviewing this data can help you audit and debug your [SAML Connections](saml-connections). 

fern/pages/ssoready-concepts/organizations.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'SSOReady concepts: Organizations'
 description: 'Understanding Organizations in SSOReady'
+noindex: false
 ---
 
 In SSOReady, each [Environment](environments) has some number of *Organizations*. 

fern/pages/ssoready-concepts/overview.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'SSOReady concepts: overview'
 description: 'Understanding and navigating our product'
+noindex: false
 ---
 
 SSOReady introduces a small number of important concepts that you'll need to understand. This section of the documentation describes each of them and outlines explicit instructions where relevant.

fern/pages/ssoready-concepts/saml-connections.mdx

@@ -1,6 +1,7 @@
 ---
 title: 'SSOReady concepts: SAML Connections'
 description: 'Understanding SAML Connections in SSOReady'
+noindex: false
 ---
 
 SAML Connections store the information that SSOReady needs in order to connect your application with your customer's identity provider.