Okta

This guide walks you through setting up SCIM provisioning with Okta for your Sketch Workspace. If you need help along the way, contact us and we’ll help you out.

1. Create a custom Okta app

Sign in to your Okta account and open the Admin console. Make sure you can create and configure applications and groups.

1. On the left sidebar, click Applications > Applications > Create App Integration.
2. Select SAML 2.0 from the list.
3. Name your app.

Configure SAML SSO

On the next screen, you’ll need to provide the SAML SSO configuration data from the web app.

1. Paste your Workspace ACS URL in the Single sign-on URL field.

2. Paste your Workspace Entity ID in the Audience URI field.

   To get these values, sign in to the web app as an Admin and go to Settings > Single Sign-on.

3. Leave the rest of the form with the default values and click Next.

You’ll see an additional step where Okta asks you to provide data on how you configured the app. This step is optional — you can skip it.

Add SAML attribute statements

After you create the custom app, open the Sign On tab and scroll to Attribute Statements. Click Add expression, then add the following:

1. Email
   • Name: email
   • Expression: user.profile.email
2. First Name
   • Name: first_name
   • Expression: user.profile.firstName
3. Surname
   • Name: surname
   • Expression: user.profile.lastName

Upload the XML metadata file to your Workspace

1. Scroll down to the SAML Signing Certificates section.
2. Click Actions for the active certificate.
3. Click View IdP metadata.
4. Press ⌘S to save the XML file (IdP metadata).

Switch back to the web app and upload the downloaded XML file.

2. Configure SCIM

Activate SCIM

1. Go to the General tab and click Edit in the App Settings section.
2. Select SCIM in the Provisioning section.
3. Click Save.

Configure provisioning

To connect Okta to your Sketch Workspace, you’ll first need to enable SCIM and collect a few values:

1. Open the web app and go to Settings > Single Sign-on.
2. Click Enable SCIM.
3. Have the SCIM Base URL and the SCIM token ready.

Switch to your Okta custom SCIM app:

1. Open the Provisioning tab.
2. Click Edit.
3. Paste the SCIM Base URL from the web app in the SCIM connector base URL field in Okta.
4. Type userName in the Unique identifier field for users.
5. Select HTTP header in Authentication Mode and paste the SCIM token in the Bearer field.
6. Click Test Connector Configuration.
7. Click Save if your connection test is successful.

Create assignment groups

Create two groups to control which access level users get in your Sketch Workspace: editors or viewers.

1. Go to Directory > Groups and click Add group.
2. Name the group. Use a descriptive name, like Sketch-editors or Sketch-viewers.
3. Add users to each group.

Create a custom attribute

You’ll need a custom attribute to control whether users are provisioned as Editors or Viewers in your Sketch Workspace.

1. Go to Applications and select your Sketch SCIM app.
2. Go to Provisioning > To App.
3. Scroll down to the attribute list and click Go to Profile Editor.
4. Click +Add Attribute.

Fill in these fields:

• Data type: String
• Display name: Sketch Access Level
• Variable name: accessLevel
• External name: Okta sets this automatically to accessLevel
• External namespace: urn:ietf:params:scim:schemas:extension:sketch:1.0:User
• Description: optional
• Enum: Check this and add two values:
  • Display name: Editor; Value: editor
  • Display name: Viewer; Value: viewer
• Attribute required: No
• Attribute type: Group

Click Save to create the new attribute.

3. Activate provisioning

Activate provisioning before adding groups or users:

1. Click on the Provisioning tab.
2. Click Edit on the To App section.
3. Enable the following actions:
   • Create Users
   • Update User Attributes
   • Deactivate Users
4. Click Save.

Assign the groups to start syncing users

The last step is assigning groups to the custom app. This triggers user sync to create, update, or delete users in your Workspace.

1. Open your custom SCIM/SSO app.
2. Click on the Assignments tab.
3. Click Assign > Assign to Groups.
4. Select one of the groups and click Assign.
5. Scroll to the bottom and set the access level that matches the group (editor or viewer).
6. Repeat the same steps for the other group, so both groups are assigned to your app.

Considerations

• If you reach your Editor seat limit, Okta will still provision the user, but we’ll add them as a Viewer to avoid unwanted extra charges.
• If you disable a user in Okta, they’ll be deleted from the Workspace. Any documents in their My Drafts folder will move to a restricted folder that Workspace Admins can access.

Existing Okta SSO configuration

If you already use Okta for SSO, you’ll need to deactivate and delete the Gallery app, then create a new custom app to enable SCIM. The Gallery app doesn’t support SCIM provisioning.

Deleting the Gallery app won’t affect existing users or their documents. You don’t need to make any changes in your Sketch Workspace — Okta handles everything.

Deactivate the Gallery app

1. Sign in to your Okta account and open the Admin console.
2. Go to Applications > Applications and find the Sketch SSO gallery app in the list.
3. Deactivate the app. You need to deactivate it first, then delete it.