Command Palette
Search for a command to run
GuideCLI referenceAPI reference

SAML SSO & SCIM Provisioning

Configure SAML single sign-on and SCIM directory sync to manage authentication and user provisioning for your Outpost organization.

Outpost Enterprise supports SAML 2.0 Single Sign-On and SCIM v2 Directory Sync, enabling your organization to centralize authentication and automate user lifecycle management through your identity provider (IdP).

SAML SSO and SCIM are available exclusively on the Outpost Enterprise plan.

Overview

Feature What it does
SAML SSO Members authenticate through your IdP instead of an Outpost password. Enforces your existing MFA, session, and conditional access policies.
SCIM v2 Sync Automatically provisions users when they are assigned in your IdP, updates profile attributes, and deprovisions users when they are removed.

Supported Identity Providers

Outpost works with any SAML 2.0 compliant identity provider. The following have been verified:

  • Okta
  • Azure Active Directory (Entra ID)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • PingFederate

The guide below uses Okta as the reference IdP. The concepts and Outpost-side configuration are identical for other providers -- only the IdP-side steps differ.

Part 1: Configure SAML SSO

Step 1 -- Create a SAML Application in Okta

  1. In your Okta admin dashboard, navigate to Applications > Applications and click Create App Integration.
  2. Select SAML 2.0 as the sign-on method and click Next.
  3. On the General Settings page, enter Outpost as the app name and click Next.

Step 2 -- Configure SAML Settings

In the SAML Settings section, enter the following values:

Field Value
Single sign-on URL https://outpost.run/auth/v1/auth/sso/saml/callback
Audience URI (SP Entity ID) https://outpost.run
Name ID format EmailAddress
Application username Email

Step 3 -- Configure Attribute Statements

In the Attribute Statements section, add the following mappings:

Name Value
id user.id
email user.email
firstName user.firstName
lastName user.lastName

Click Next, then select I'm an Okta customer adding an internal app under Feedback and click Finish.

Step 4 -- Copy the Metadata URL

After the application is created, navigate to the Sign On tab. Copy the Metadata URL -- you will need it in the next step.

The Metadata URL allows Outpost to automatically fetch your IdP's certificates, endpoints, and configuration. This eliminates the need to manually upload certificate files.

Step 5 -- Enable SSO in Outpost

  1. In your Outpost organization dashboard, navigate to Settings > Security.
  2. Under SAML Single Sign-On, click Configure.
  3. Select Okta as the SAML provider (or Custom for other IdPs).
  4. Paste the Metadata URL from Step 4.
  5. Click Save changes. Outpost will validate the metadata and enable SSO for your organization.
Warning

After enabling SAML SSO, existing members who have not been assigned to the SAML application in your IdP will not be able to sign in until they are assigned. Coordinate with your IdP administrator to assign users before enforcing SSO.

Step 6 -- Assign Users in Okta

Navigate to the Assignments tab of your Outpost application in Okta. Click Assign and select users or groups. Assigned users will receive an invitation email to join your Outpost organization.

For other identity providers, refer to your IdP's documentation for assigning users to a SAML application. The Outpost-side configuration (Steps 4-5) is the same regardless of IdP.

Configuration for Other Providers

If you are using a provider other than Okta, use these values when configuring the SAML application:

ACS (Assertion Consumer Service) URL: https://outpost.run/auth/v1/auth/sso/saml/callback Entity ID / Audience: https://outpost.run Required Attributes: - id (unique user identifier) - email (user email address) - firstName (user first name) - lastName (user last name)

Part 2: Configure SCIM Directory Sync

SCIM v2 automates user provisioning. When you assign a user to the Outpost application in your IdP, they are automatically invited to your Outpost organization. When you unassign or deactivate them, their Outpost access is revoked.

Configure SCIM before assigning users in your IdP. This ensures users are automatically provisioned in Outpost when they are assigned, rather than requiring manual invitation.

Step 1 -- Enable Directory Sync in Outpost

  1. In your Outpost organization dashboard, navigate to Settings > Security.
  2. Under Directory Sync, click Configure.
  3. Select Okta as the directory provider and click Save changes.
  4. Outpost generates two values. Copy both -- you will need them in the next step:
    • SCIM 2.0 Base URL
    • OAuth Bearer Token

Step 2 -- Enable SCIM in Okta

  1. In your Okta Outpost application, go to the General tab, click Edit under App Settings, enable SCIM provisioning, and click Save.
  2. A new Provisioning tab appears. Select it and click Edit.
  3. Fill in the SCIM configuration:
Field Value
SCIM connector base URL The SCIM 2.0 Base URL from Step 1
Unique identifier field for users userName
Authentication Mode HTTP Header

Paste the OAuth Bearer Token from Step 1 into the Authorization field.

  1. Under Supported provisioning actions, enable:

    • Push New Users
    • Push Profile Updates
    • Push Groups

  2. Click Test Connector Configuration to verify the connection, then click Save.

Step 3 -- Enable Provisioning Actions

Under the Provisioning > To App section, click Edit and enable:

  • Create Users -- Provision new users in Outpost when assigned in Okta.
  • Update User Attributes -- Sync profile changes (name, email) to Outpost.
  • Deactivate Users -- Remove Outpost access when a user is unassigned or deactivated in Okta.

Click Save.

Step 4 -- Assign Users and Groups

Navigate to the Assignments tab of your Outpost application in Okta. Assign individual users or groups. SCIM will automatically:

  1. Create the user in Outpost and send an invitation email.
  2. Keep profile attributes in sync with your Okta directory.
  3. Revoke access if the user is unassigned or deactivated.

Testing Your Configuration

Verify SAML SSO

  1. Open a private/incognito browser window.
  2. Navigate to https://outpost.run/login.
  3. Click Sign in with SSO and enter your organization's namespace.
  4. You should be redirected to your IdP's login page. After authenticating, you are returned to Outpost.

Verify SCIM Provisioning

  1. In your IdP, assign a test user to the Outpost application.
  2. Verify the user receives an invitation email and appears in Settings > Members in your Outpost dashboard.
  3. Unassign the test user in your IdP.
  4. Verify the user's access is revoked in Outpost.
Tip

If provisioning does not work as expected, check the System Log in your Okta admin dashboard for SCIM-related errors. Common issues include incorrect Base URLs and expired Bearer Tokens.

Troubleshooting

Problem Solution
SSO redirect fails Verify the Metadata URL is accessible and the ACS URL matches exactly.
Users not provisioned via SCIM Confirm SCIM provisioning actions (Create, Update, Deactivate) are enabled in your IdP.
401 Unauthorized from SCIM connector Regenerate the OAuth Bearer Token in Outpost and update it in your IdP.
Attribute mapping errors Ensure id, email, firstName, and lastName attributes are mapped correctly.
Deactivated users can still access Outpost Check that "Deactivate Users" is enabled in your IdP's provisioning settings.

Related Guides

  • Enterprise Overview -- Explore all Enterprise features including cloud provisioning and audit logging.

Previous Overview