Setting Up SSO & SCIM Provisioning

Statux supports SAML 2.0 Single Sign-On (SSO) and SCIM 2.0 automated user provisioning. This guide walks you through setting up both with your identity provider.

Prerequisites

Platform admin access to your Statux dashboard
An identity provider that supports SAML 2.0 (Okta, Azure AD / Entra ID, OneLogin, etc.)

1 Get Your Service Provider Details

Sign in to your Statux dashboard as a platform admin
Go to the Team section
Scroll to SSO & Provisioning
Note the ACS URL and Entity ID — you'll need these for your identity provider

2 Configure Your Identity Provider

In the Okta admin console, go to Applications → Create App Integration
Select SAML 2.0 and click Next
Give the app a name (e.g., "Statux") and click Next
Configure SAML settings:
- • Single sign-on URL: Paste the ACS URL from Statux
- • Audience URI (SP Entity ID): Paste the Entity ID from Statux
- • Name ID format: EmailAddress
- • Application username: Email

Under Attribute Statements, add:

Name	Value
`email`	`user.email`
`name`	`user.firstName + " " + user.lastName`

Click Next, then Finish
Go to the Sign On tab and copy the Metadata URL (under "SAML Signing Certificates" → Actions → View IdP metadata, copy the URL)
Paste this URL into the Statux dashboard SSO configuration

• Configure a new SAML application in your identity provider
• Set the ACS URL (also called Reply URL or SSO URL) to the value from Statux
• Set the Entity ID (also called Audience or Identifier) to the value from Statux

• Map these attributes:

Attribute	Value	Required
`email`	User's email address	Yes
`name`	User's display name	Optional

• Export or copy the SAML Metadata URL
• Paste the Metadata URL into the Statux dashboard

3 Enable SSO in Statux

In the Team → SSO & Provisioning section, enter:
- • Provider Name: A short label (e.g., "Okta", "AzureAD")
- • Metadata URL: The URL you copied from your identity provider
Click Enable SSO
Test by clicking Sign in with SSO on the sign-in page

4 Configure SCIM Provisioning Optional

SCIM automates user account creation and deactivation when users are added or removed in your identity provider.

In Team → SSO & Provisioning → SCIM Provisioning, click Create Token
Give the token a name (e.g., "Okta SCIM") and click Create
Copy the token immediately — it won't be shown again
Important: The SCIM token is only displayed once upon creation. Store it securely.
In your identity provider's SCIM provisioning settings:
- • SCIM connector base URL: Copy from the Statux dashboard
- • Unique identifier field: userName
- • Authentication mode: HTTP Header / Bearer Token
- • Bearer token: Paste the token you copied

Configure attribute mapping:

SCIM Attribute	Maps To
`userName`	Email
`givenName`	First name
`familyName`	Last name
`active`	Account status

Enable provisioning and test with a single user

Troubleshooting

SSO login redirects back to sign-in page

• Verify the ACS URL and Entity ID match exactly in both Statux and your IdP
• Check that the Metadata URL is accessible (try opening it in a browser)

SCIM provisioning returns 401 Unauthorized

• Verify the bearer token hasn't been revoked
• Check that the SCIM Base URL is correct (includes /api/v1/scim/v2)

Users created via SCIM can't sign in

• SCIM creates user accounts but doesn't configure authentication. Users still need to sign in via SSO or email/password.

"Provider already exists" error

• You can only have one SAML provider configured at a time. Remove the existing one first.