Get Started
Log In
PersonalBusinessDownloadPricingHelpBlogContactBusiness SalesGet StartedLog In

Okta SCIM Integration

System of cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.


SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.

This article will help you configure a SCIM integration with Okta. Configuration involves working simultaneously with the Bitwarden web vault and Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented.

Enable SCIM


Are you self-hosting Bitwarden? If so, complete these steps to enable SCIM for your server before proceeding.

To start your SCIM integration, open your organization's Manage SCIM Provisioning page:

SCIM Provisioning
SCIM Provisioning

Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.

Create an app

In the Okta Admin Portal, select ApplicationsApplications from the navigation. On the Application screen, select the Browse App Catalog button:

Browse App Catalog
Browse App Catalog

In the search bar, enter SCIM and select SCIM 2.0 Test App (Header Auth):

SCIM 2.0 Test App
SCIM 2.0 Test App

Select the Add Integration button to proceed to configuration.

General settings

On the General Settings tab, give the application a unique, Bitwarden-specific label and select Next.

Sign-On options

For now, skip the options on this screen and select Done.

Setup provisioning

Provisioning settings

Open the Provisioning tab select the Configure API Integration button:

Configure API Integration
Configure API Integration

Once selected, Okta will list a few options for you to configure:

  1. Check the Enable API Integration checkbox.

  2. In the Base URL field, enter your SCIM URL (learn more).

  3. In the API Token field, enter your SCIM API Key (learn more).

  4. Check the Import Groups checkbox.

Once you are finished, use the Test API Credentials button to test your configuration. If it passes the test, select the Save button.

Set Provisioning actions

On the Provisioning To App screen, select the Edit button:

Provisioning To App
Provisioning To App

Enable, at a minimum, Create Users and Deactivate Users. Select Save when you are done.


Please note, Bitwarden does not support changing a user's email address once provisioned. Bitwarden also does not support changing a user's email address type, or using a type other than primary. Learn more.


Open the Assignments tab and use the Assign dropdown menu to assign people or groups to the application. Assigned users and groups will be automatically issued an invitation. Depending on your workflow, you may need to use the Push Groups tab to trigger group provisioning once they are assigned.

Finish user onboarding

Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to accept the invitation and, once they have, confirm them to the organization.


The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data.




  • Resource Center
  • Community Forums
  • Security Compliance
  • Success Stories
  • User Reviews
  • Newsfeed
  • Subscribe to Updates
©2022 Bitwarden, Inc.
Terms Privacy Sitemap