ceven

Okta

Ceven connects to your Okta tenant via SCIM 2.0, OIDC sign-in, and Global Token Revocation. Setup takes about five minutes and covers session termination, downstream SaaS deprovisioning, and audit-grade evidence capture.

What this integration does

  • Session termination. When an employee is offboarded in Ceven, all Okta sessions end within seconds. Global Token Revocation propagates the signal to every app federated through Okta.
  • Downstream deprovisioning. Any SaaS tool provisioned by Okta (Slack, Jira, Salesforce, etc.) loses the user automatically through Okta's SCIM push. Ceven also runs its own direct connectors for critical tools (Google Workspace, GitHub, 1Password).
  • SOC 2 audit trail. Every SCIM operation is logged with actor, timestamp, IP, before + after state. Exportable as newline-delimited JSON at GET /api/v1/sso/audit-export.

What you'll need

  • An active Okta tenant (Workforce Identity Cloud or dev org both work).
  • Super Admin rights on Okta (required to create API tokens and configure SCIM).
  • A Ceven admin account on your customer tenant.

Step 1 — Install Ceven from the OIN catalog

The Ceven integration is distributed through the Okta Integration Network. It ships with OIDC, SCIM 2.0, and Global Token Revocation pre-wired — you don't create an app from scratch.

  1. Sign in to your Okta admin console as a Super Admin.
  2. Go to Applications → Browse App Catalog and search for Ceven.
  3. Click Add Integration Done. Okta creates the app with the correct sign-in redirect URI, initiate login URI, and post-logout URI already filled in for you.

Ceven's OIN listing is pending review. During the approval window, you can manually create an OIDC — Web Application integration and paste the URIs from the panel below. Your Ceven admin will send you the Client ID and Secret to complete the test.

Step 2 — Get your SCIM token (one click, inside Ceven)

SCIM tokens are minted inside Ceven, shown once, and scoped to a single organization. No CLI, no API calls — the whole thing is a button.

  1. Sign in at www.ceven.io/app/sso.
  2. Open the SCIM Tokens tab → New Token.
  3. Give it a label like "okta-production" Generate.
  4. Copy the token that appears — it's shown once. (Revoke or rotate it any time from the same page.)

Under the hood the token is a 64-character secret, stored as an argon2id hash, and scoped to exactly the organization of the admin who minted it. Cross-tenant token reuse is impossible.

Step 3 — Paste the token into Okta's SCIM config

In the Okta app's Provisioning → Integration tab, click Edit, enable API Integration, and fill in:

SCIM Connector Base URL
https://api.ceven.io/api/v1/scim/v2
Unique identifier field for users
userName
Supported provisioning actions
Push New Users, Push Profile Updates, Push Groups, Import Users
Authentication Mode
HTTP Header
Authorization
Bearer <token from Step 2>

Click Test API Credentials Save. Okta hits /ServiceProviderConfig, /ResourceTypes, /Schemas, and a paged /Users call with your bearer token. A green "Connector configured successfully" message means SCIM is live.

Step 4 — Turn on OIDC sign-in for your team

If you installed from the OIN catalog, these fields are already populated on the Okta app's Sign On / General tabs. Verify they match:

Sign-in redirect URI
https://api.ceven.io/api/v1/sso/okta/oidc/callback
Initiate login URI
https://api.ceven.io/api/v1/sso/okta/oidc/start
Sign-out redirect URI
https://www.ceven.io/login
Grant type
Authorization Code
Scopes
openid email profile
Login initiated by
Either Okta or App

Then on the Okta Assignments tab, assign the users or groups who should be able to sign into Ceven via Okta. Those users can now either:

  • Click the Ceven tile on their Okta End-User Dashboard (IdP-initiated), or
  • Visit https://www.ceven.io/login → Single Sign-On, and enter their work email or Okta issuer (SP-initiated).

First-time Okta sign-ins auto-provision a Ceven user with the employee role. An existing Ceven admin can promote them under Team → Members, or you can pre-provision privileged users via SCIM and assign the Ceven "admin" entitlement.

Step 5 — Enable Global Token Revocation (recommended)

When you deactivate a user in Ceven (offboarding), Universal Logout kills their Okta session everywhere in under a second. Flip it on in the Okta app's General → Universal Logout:

Universal Logout URL
https://api.ceven.io/api/v1/sso/okta/universal-logout

Ceven verifies Okta's signed SSF JWT against the JWKS, enforces a 5-minute skew, and prevents replay via jti tracking. Matched users are deactivated in Ceven plus every connected downstream tool in the same pass.

Step 6 — Map Okta groups to Ceven roles (optional)

Ceven exposes three entitlement roles via SCIM: admin, member, employee. Okta's Entitlement Management auto-discovers them from GET https://api.ceven.io/api/v1/scim/v2/Roles.

Map Okta groups (e.g. "HR Admins", "Managers") to these roles so Ceven grants the right permissions on first sign-in. Mapping lives in Okta's Assignments → Group Rules, and Ceven applies it via the roles attribute on PATCH.

Supported SCIM 2.0 features

Resource / OperationSupported
GET /ServiceProviderConfigYes
GET /ResourceTypesYes
GET /SchemasYes
GET /Users (filter userName, externalId)Yes
POST /UsersYes
GET /Users/{id}Yes
PUT /Users/{id}Yes
PATCH /Users/{id} (active, displayName)Yes
DELETE /Users/{id} (soft deactivate)Yes
GET /GroupsYes
POST /Groups + PATCH membersYes
DELETE /Groups/{id}Yes
Bulk operationsNo
ETag / If-MatchNo
Attribute filter (attributes=)Partial

Security posture

  • Bearer tokens are stored as SHA-256 hashes — the raw token exists only in your IdP config and password manager.
  • Each token is scoped to exactly one Ceven organization; cross-tenant token reuse is impossible.
  • Tokens support explicit revocation and optional expiry dates. Revoked tokens fail auth immediately.
  • All SCIM mutations are logged to audit_log with actor, IP, timestamp, before + after state.
  • TLS 1.2+ enforced by Caddy at the edge; backend reachable only over the private network.
  • SCIM error responses follow RFC 7644 envelope format — no stack traces or internal details leaked.

Troubleshooting

Okta reports "Test failed: 404 on /ServiceProviderConfig"
Make sure your base URL ends with /api/v1/scim/v2 — no trailing slash, no extra path segments.
Okta reports "Test failed: 401 Unauthorized"
The SCIM token is revoked, expired, or truncated. Head to /app/sso, mint a fresh token, and paste it into Okta.
User push succeeds but user doesn't appear in Ceven
The token is scoped to a different organization than you expected. Tokens only provision users into the org of the admin who minted them — check which Ceven workspace you were signed into at mint time.
Okta sign-in lands on /login?okta_sso_error=okta_email_unverified
The Okta user's email was never verified (admin-created without activation). In Okta admin, send the user a password reset — that flips emailVerified to true on next sign-in. Ceven no longer blocks the sign-in when this is false, but we still log a warning for the audit trail.
Deactivation succeeds in Okta but downstream tools still show user as active
Connect those downstream tools as Ceven integrations directly. Okta only revokes at the IdP level; Ceven's per-tool adapters remove the user from Google Workspace, GitHub, 1Password, and other connected systems.

Need help?

Email support@ceven.io with your tenant ID and we'll walk you through it. For security incidents, use security@ceven.io.