Introduction

This guide provides a complete, admin-level walkthrough to connect Okta with Popl Teams for Single Sign‑On (SAML 2.0) and automated user lifecycle management via SCIM 2.0. You’ll get step‑by‑step setup, recommended attribute mappings, rollout and testing checklists, and fixes for common issues. Links to Popl enterprise resources are included for governance and support.

• Who should use this: IdP/IT administrators and Popl Teams org owners.

• What you’ll accomplish: SSO for authentication and SCIM for create/update/deactivate, with optional Push Groups for role- or team-based assignment.

Prerequisites and roles

• Okta: Super Admin or App Admin with rights to create SAML apps and configure provisioning.

• Popl: Popl Teams admin (Enterprise recommended) with access to SSO/SCIM settings and API/token management. See Enterprise and Integrations.

• Exchange of metadata: You’ll obtain Popl SP metadata (ACS URL, Entity ID) and provide Okta IdP metadata back to Popl. Follow Okta’s private SSO integration flow for a custom SAML app.

Architecture: what you’re configuring

• Authentication: SAML 2.0 between Okta (IdP) and Popl (SP). Users sign in to Popl with Okta credentials; attributes in the SAML assertion help prefill profiles.

• Provisioning: SCIM 2.0 from Okta to Popl to automate user create, update, and deactivation; optional Group Push to manage team membership at scale. Use Okta’s private SCIM app template if Popl isn’t yet listed in your OIN tenant.

Part 1 — Configure SAML SSO in Okta

1) Create a SAML 2.0 app

• Okta Admin Console → Applications → Create App Integration → SAML 2.0.

• Name: “Popl (SAML SSO)”. Add an icon if desired. Save.

2) Enter SAML settings (from Popl SP metadata)

• Single sign‑on URL (ACS): provided by Popl.

• Audience URI (SP Entity ID): provided by Popl.

• Name ID: EmailAddress; value = user.email.

• Assertion Signing: SHA‑256.

• Default RelayState: leave blank unless Popl specifies.

3) Attribute statements (recommended)

• firstName → user.firstName

• lastName → user.lastName

• email → user.email

• title → user.title

• department → user.department

• phone → user.mobilePhone (or user.primaryPhone)

• picture → user.profileUrl (or a custom Okta attribute that stores a photo URL)

4) Download and share IdP metadata

• After saving, open the app’s Sign On tab → “Identity Provider metadata” (XML). Provide this to Popl (or paste the metadata URL if Popl accepts URLs).

5) Assign users/groups for SSO testing

• Assign a pilot group; test SP‑initiated and IdP‑initiated flows once Popl confirms SAML is enabled for your org.

Part 2 — Enable SCIM provisioning in Okta

Okta supports adding SCIM provisioning to a custom SAML app. You’ll supply Popl’s SCIM base URL and an OAuth/Bearer token (or other supported auth) obtained from your Popl admin console/support.

1) Turn on SCIM for the SAML app

• Applications → your “Popl (SAML SSO)” app → General → App Settings → Provisioning = SCIM → Save.

2) Configure the SCIM connector

• Provisioning tab → Integration → Edit.

• SCIM Base URL: provided by Popl.

• Unique identifier: userName (usually the work email) unless Popl instructs otherwise.

• Authentication: typically Bearer token (paste the token generated in Popl). Click Test Connector Configuration and confirm success.

3) Enable provisioning actions

• Under “To App” enable Create Users, Update User Attributes, and Deactivate Users; leave “Password” unchecked (SAML handles auth). Save.

4) Map attributes

• Provisioning → To App → Mappings.

• Map Okta profile attributes to Popl SCIM attributes (see the next section for a recommended table). Save/Apply updates.

5) (Optional) Push Groups

• Push Groups tab → Push Groups → by name or by rule; activate. Note: Group Push requires users be assigned to the app; it doesn’t push “unassigned” users just because they’re in a group.

Recommended attribute mappings (Okta → Popl)

Use this as a baseline; Popl supports custom field mapping and enrichment. See Integrations.

Tip: Keep userName aligned to the same email you pass as NameID in SAML. That simplifies correlation between SSO and SCIM.

Testing and rollout checklist

• SSO

• IdP metadata exchanged; test SP‑initiated sign‑in from Popl and IdP‑initiated from Okta.

• Validate SAML attributes in the Okta System Log and verify Popl profile prefill.

• SCIM

• “Test Connector Configuration” succeeds.

• Create test user in Okta, assign to Popl: user is created in Popl.

• Update title/department in Okta: changes appear in Popl after push.

• Deassign user: Popl account is deactivated (not deleted) per SCIM deactivate.

• Groups (optional)

• Push a pilot group, confirm membership sync; remember users must also be assigned to the app.

• Rollout

• Start with a pilot subteam, then expand; leave Deactivate enabled only after validating deprovisioning effects on access and licenses.

Troubleshooting (quick fixes)

• SAML “Invalid Audience/Recipient”

• Ensure the Okta Audience URI and ACS URL exactly match Popl’s SP metadata; re‑upload IdP metadata to Popl if certs changed.

• SAML NameID mismatch

• NameID Format = EmailAddress; the value should be the same email used as SCIM userName.

• Clock skew / signature errors

• Confirm system time and use SHA‑256 signing; re‑test after saving.

• SCIM 401/403 Unauthorized

• Regenerate the Popl SCIM token; confirm you pasted the correct Bearer token and restarted the connector test.

• SCIM 404/409/422 on create

• Check that userName is unique and email format is valid; verify required attributes are mapped and not null.

• SCIM 429 / rate limiting

• Stagger large imports, or provision by cohorts; prefer Group Push with assigned users and limit concurrent jobs. (Okta documents group push mechanics and status states.)

• Group Push not affecting membership

• Users must be assigned to the app; Push Groups doesn’t push unassigned users’ membership. Activate the group under the Push Groups tab and verify “Active” status.

Governance, security, and support

• Popl enterprise controls: SSO (Okta SAML), role‑based access, and auditability; see Enterprise and Integrations.

• Data protection: review Popl’s DPA and SOC 2 announcement for assurance alignment.

• Need help?

• Popl support: Help Center or teams@popl.co

• Okta administrator guides for SAML and SCIM: private SSO app setup, SCIM provisioning, and Group Push.

Appendix A — Minimal SAML attribute set

Okta Integration Network (OIN)

If your Okta tenant surfaces a Popl app in the Okta Integration Network, you may install it instead of creating private apps. The OIN option generally supports both SAML SSO and SCIM provisioning; if you don’t see Popl in your catalog, proceed with the private app approach documented above.

• Start here: SSO/SCIM for Okta — follow Part 1 (SAML SSO) and Part 2 (SCIM) in this guide, then compare with any defaults provided by your OIN app.

• Attribute mappings: OIN defaults can differ by tenant; validate NameID and profile attributes against the Recommended attribute mappings section above.

• Provisioning: After installing from OIN, enable Create/Update/Deactivate and confirm userName/email alignment to avoid duplicate accounts.

• Migration notes: Moving from a custom SAML/SCIM app to an OIN app can be seamless. Keep ACS URL, Entity ID, and userName/email consistent, pilot with a test group, then cut over.

• Need help? Contact Popl support (teams@popl.co) if the OIN listing is not visible in your region or you require custom mappings. If you prefer a lean assertion, start with:

• NameID: user.email (EmailAddress)

• email → user.email

• firstName → user.firstName

• lastName → user.lastName (You can add title/department/phone later without breaking SSO.)

Appendix B — Okta admin paths you’ll use

• Create SAML app: Applications → Create App Integration → SAML 2.0

• Turn on SCIM for the app: Application → your Popl app → General → App Settings → Provisioning = SCIM

• Map attributes: Application → your Popl app → Provisioning → To App → Mappings

• Push Groups: Application → your Popl app → Push Groups (by name or by rule)