Skip to main content
LoginTry Now
Documentation
Billing
Deliverability
FAQ
Getting Started
Integrations
My Account & Profile
Recipient Validation
Reporting
Signals
Tech Resources
User Guide
Submit a Ticket
Customers
Developer Blog
Developer Hub
Service Status
Docs
My Account & Profile
SCIM User Provisioning Through Okta

SCIM User Provisioning Through Okta

Last updated April 2026

Features

  • Create users Okta users will be created in the SparkPost application.
  • Update user roles SparkPost user roles can be changed via Okta.
  • Deactivate users Deactivating an Okta user will remove it in the SparkPost application.
  • Import users Users created in SparkPost can be imported into Okta and either matched against existing Okta users or created as new Okta users.

Requirements

  • You must be a premier or enterprise customer. See our pricing page for more details. Test accounts can also evaluate SCIM Provisioning.
  • SAML SSO must be configured and enabled for your account. See instructions here.
  • Only admin users can generate SCIM access tokens.

Configuration in SparkPost

  1. From your SparkPost dashboard, navigate to your Account Settings page by clicking on your username at the upper right corner of the screen.

  2. Under "Single Sign-On" click "Generate SCIM token".

  3. Your token will be displayed. Copy it - you won't be able to see it again (don't worry, if you lose it you can generate a new one).

Configuration in Okta

  1. From the Okta admin console, navigate to "Applications" and select the SparkPost app.

  2. Select the "Sign On" tab. Ensure that under "Credentials Details", "Application username format" is set to "Email".

  3. Click "View Setup Instructions" to setup SSO and get the Callback URL and Audience URI

  4. Select the "Provisioning" tab, and from the "Integration" menu click "Configure API Integration".

  5. Check "Enable API Integration"

  6. In the "Base URL" field:

    • For US-hosted customers, enter https://api.sparkpost.com/api/v1/users/scim/v2

    • For EU-hosted customers, enter https://api.eu.sparkpost.com/api/v1/users/scim/v2

    • For Enterprise customers, enter https://<host>.api.e.sparkpost.com/api/v1/users/scim/v2

      Enterprise customers: note that you must replace < host > with your SparkPost tenant name. Please see your TAM if you need assistance determining your callback URL.

  7. In the "API Token" field, paste the SCIM token you generated.

  8. Click "Test API Credentials" to verify settings are correct.

  9. Click "Save".

  10. In the "To App" section of the "Provisioning" tab, enable "Create Users", "Update User Attributes", and "Deactivate Users". Click "Save".

Import Existing SparkPost users

  1. Select the "Import" tab and click "Import Now"

  2. Verify "Okta User Assignments" match existing users or create new users.

  3. Click "Confirm Assignments"

  4. Verify changes and click "Confirm".

  5. Verify users exist in SparkPost application.

Managing User Roles with Okta Groups

You can use Okta groups to automatically assign SparkPost roles to users provisioned via SCIM. Instead of setting each user's role individually, you create Okta groups that map to SparkPost roles and assign users to those groups. Role changes are pushed to SparkPost automatically when group membership changes.

Supported Roles

RoleDescription
adminAdmins have all permissions and are the only users that can manage users, security, and billing settings.
developerCan create and edit API Keys and access all email-related account settings.
templatesCan manage Templates, AB Tests, Recipient Lists, and Suppressions. View-only access to Domains, Subaccounts, IP Pools, and all reporting and analytics features.
reportingAccess to all reporting features and view-only access to Domains, Subaccounts, and IP Pools. Cannot edit account or feature settings.

If no role is specified, users default to reporting.

Step 1: Create Okta Groups

Create one Okta group per SparkPost role you want to manage. For example:

  • SparkPost - Admin
  • SparkPost - Developer
  • SparkPost - Templates
  • SparkPost - Reporting

Go to Directory > Groups and click Add Group to create each one.

Step 2: Assign Groups to the SparkPost Application

  1. In the Okta admin console, go to Applications > SparkPost and select the Assignments tab.

  2. Click Assign > Assign to Groups.

  3. In the dialog, click Assign next to each SparkPost group you created.

  4. For each group, set the role field to the corresponding SparkPost role (e.g., admin for the "SparkPost - Admin" group). Click Save and Go Back.

  5. Repeat for each group, then click Done.

Step 3: Add Users to Groups

Add users to the appropriate Okta group. Go to Directory > Groups, select a group, and click Assign people. When provisioned, they will receive the corresponding SparkPost role.

Changing a User's Role

Move the user from one SparkPost group to another in Okta. The role change is pushed to SparkPost automatically via SCIM on the next sync.

Managing Group Priority

If a user belongs to multiple groups assigned to the SparkPost application, Okta uses group priority to determine which role is sent. The group with the highest priority (lowest number) wins.

To manage group priority:

  1. Go to Applications > SparkPost > Assignments and click on the Groups filter.
  2. Drag and drop the groups to reorder them. The group at the top (priority 1) takes precedence.

For example, if a user belongs to both "SparkPost - Admin" (priority 1) and "SparkPost - Reporting" (priority 3), they will be assigned the admin role.

Known Issues / Troubleshooting

Was this page helpful?