Enforce ZTNA with Device Identity in this live demo webinar!

Sync Okta Users to Smallstep

Prerequisites

You will need:

  • An account on the Smallstep platform
    Need one? Register here
  • Okta Super Administrator privileges
  • Okta Lifecycle Management Subscription

Features

The following provisioning features are supported:

  • Push Groups and New Users
    • New users created through Okta will also be created in Smallstep.
  • Push Profile or Group Updates
    • Updates made to the user's profile through Okta will be pushed to Smallstep.
  • Push User Deactivation
    • Deactivating the user or disabling the user's access to the application through Okta will deactivate the user in Smallstep.
    • Note: For this application, deactivating a user means removing access to login, but the user's devices will not be affected.
  • Reactivate Users
    • User accounts can be reactivated in the application.

Overview

In this quickstart, we will:

  1. Create a new OIDC application in Okta, for single sign-on
  2. Enter OIDC details into the Smallstep UI
  3. Add and configure the Smallstep application from the Okta Application Directory, for user sync via SCIM
  4. Confirm users and groups are syncing to Smallstep

Step by step instructions

Step 1. Create Okta OIDC Application

  1. Start at your Okta admin console (access via "Admin" button next to "+ Add Apps" after successful log in)
  2. Go to Applications → Create App Integration
  3. In the pop up select "OIDC - OpenID Connect" as the sign-in method and specify "Native Application" for the Application type.
  4. New Native App Integration Page
    • App integration name: Smallstep OIDC
    • Sign-in redirect URIs: Replace the default value with https://api.smallstep.com/auth/openid/callback
    • Select "Skip group assignment for now"
    • All other value leave as default
    • Save
  5. Go to the General tab, in "Client Credentials", choose "Edit"
    • In "Client authentication", select "Client secret" radio button
    • Save
  6. Go to the Assignments tab.
  7. Assign any groups or people that will need access to Smallstep to the Smallstep OIDC app
  8. Go back to General tab and Save
  9. Copy the Client ID and Secret from that page

Step 2. Enter your OIDC details into the Smallstep console

  1. Start at Connect an Okta IdP

  2. Copy and paste your Client ID and Client Secret from Okta.

  3. The Configuration Endpoint is derived from your Okta domain. Fill your Okta domain into the following URL:

    https://{your Okta domain}/.well-known/openid-configuration

    This is your Configuration Endpoint. For example, if you normally sign into Okta at https://example.okta.com/, then your configuration endpoint is https://example.okta.com/.well-known/openid-configuration

  4. Select whether you'd like to sync users from Okta, invite them manually by email. (You'll configure user sync in the next section.)

  5. Save

  6. If you chose to sync users, you will see a Base URL for SCIM sync, and an API token (SCIM token). Copy these values for the next step.

Step 3. Add the Smallstep app integration and configure user sync in Okta

  1. In the Okta admin console, add the Smallstep application
  • Applications → Browse App Catalog
    • Search for Smallstep
    • Select the Smallstep app.

  1. Click "Add Integration"

  2. Select "Do not display application icon to users"

  3. De-select "Automatically log in when user lands on login page"

  4. Choose Next

  5. Select "Administrator sets username, user sets password"

  6. Application username format: "Okta username prefix"

  7. Update application username on "Create and update"

  8. Done. We'll assign users for syncing in the next section.

Configure provisioning

Next, we'll turn on SCIM provisioning of users from Okta.

  1. Select the "Provisioning" tab

  2. Click "Configure API Integration" and select the checkbox next to "Enable API integration"

  3. Paste your Base URL for SCIM sync and API Token from the Smallstep console into Okta's Provisioning form.

  4. In Okta, choose Test API Credentials. After successful verification, choose Save.

  5. Under Provisioning → Settings → To App, choose Edit and enable the following:

    • Create Users
    • Update User Attributes
    • Deactivate Users

  6. Save.

  7. Configure Assignments:

    • Select the Assignments tab → Click AssignAssign to Groups
    • Search by group → Assign any groups that will use Smallstep. Group names that contain a / are not supported

  8. Configure Push Groups:

    • Select the Push Groups tab → Push GroupsFind Groups By Name
    • Search for the same groups that will use Smallstep
    • Save.
    • Repeat for each desired group.

Confirmation

Back in Smallstep, go to Users. You should see your Okta users here.

When users are deactivated in Okta, they will be deactivated in Smallstep. Their devices will remain in Smallstep.

Last updated on February 3, 2026