Provisioning and deprovisioning users with SCIM

Modified on Tue, 23 Jul, 2024 at 8:21 AM

With SCIM functionality, super admins can quickly and easily provision and deprovision users in Asana from their identity management provider. Your organization can also be used to configure with SCIM. SCIM provisioning allows super admins to:

  • Create a new user
  • Update a user's profile attributes (Okta and Microsoft Entra ID only)
  • Import Asana users into their identity management provider
  • Import Asana teams into their identity management provider (Okta only)
  • Create teams in Asana from their identity management provider (Okta and Microsoft Entra ID only)
  • Deactivate a user

The following provisioning features are not supported by Asana:

  • Reactivating users
  • Deleting teams in Asana

Set up provisioning

To use SCIM provisioning, you will need to connect your organization's Asana account with one of our supported identity providers. Setup will vary according to the identity provider you use. Asana supports SCIM provisioning via:

Okta

Features

Super admins can easily provision and deprovision users in Asana from Okta. The integration between Asana and Okta relies on an industry-standard protocol called SCIM that allows super admins to:

  • Create users: Okta users assigned to the Asana application in Okta are automatically added as members to your organization in Asana.
  • Update user’s profile attributes: Attributes such as userName, title and department for a user’s profile can be synced from the user’s Okta profile to Asana.
  • Import users: Users created in Asana can be imported in Okta either matched against existing Okta users or created as new Okta users.
  • Import groups: Teams created in Asana can be imported as groups in Okta. Take into account Okta doesn't allow you to manage memberships of these imported groups.
  • Push groups: Groups and their members in Okta can be pushed to Asana (as Asana teams and team members).
  • Link groups: Existing teams in Asana can be linked to groups in Okta after importing the teams from Asana.
  • Deactivate users: Users can be deactivated in Asana if they are no longer assigned to the app in Okta.

The following provisioning features are not supported at the moment:

  • Reactivating users
  • Deleting teams in Asana
Importing users or groups with emojis in their names to Okta will cause failure, as Okta only supports characters encoded with 3 bytes or fewer.

Requirements

Please ensure that you meet the following requirements before turning on SCIM for your organization.

  1. You’re a super admin for an organization in Asana that’s on the Enterprise, Enterprise+, or Legacy Enterprise tier.
  2. You have the correct Okta plan for provisioning users via SCIM. Please see Okta’s lifecycle management offerings for more information.

If you meet these requirements, use the following steps to enable SCIM for your organization.

Steps

Step 1: Add Asana’s Okta integration app to your Okta account

asana okta integration
Login to Okta and add Asana’s Okta integration:
  1. Click Applications on the sidebar
  2. Click Browse App Catalog
asana okta integration2
To add Asana:
  1. Click Collaboration and Productivity
  2. Click Asana

add asana


Step 2: Connect your organization’s Asana account to your Okta account

To use SCIM provisioning, you'll need to connect your organization’s Asana account with your Okta account.

Complete the following steps in Asana

Login to a super admin account on Asana, and navigate to the admin console menu by clicking on your profile picture in the top right, and clicking Admin console. Navigate to the Apps tab and click Add service account.

Adding service accounts from the admin console.gif
From Permissions scopes, choose Scoped permissions, tick the User provisioning (SCIM) box and ensure all permissions below are checked. Scoped permissions only provide the API token access to user provisioning (SCIM). By limiting access you’re reducing security risks associated with the API token’s usage.
 
If you don’t want Okta to push groups to Asana teams, rename teams, or modify teams, then uncheck the team-related permissions.
Permission scopes window.png
 
Adding a service account will generate an API token, that you can use in the Provisioning tab in the Asana app within Okta.
Adding a service account.png

Complete the following steps in Okta

Login to your Okta admin portal and under the Applications tab, navigate to the Asana application.

okta admin portal
To connect Asana to your Okta account:
  1. Click on Provisioning
  2. Under the Settings sidebar click on Integration and click on Configure API Integration
  3. Check the Enable API integration box
  4. In the API Token field, enter the token you received in your service accounts tab in Asana.
  5. Click on Test API Credentials to verify the token is set up correctly
  6. Click Save to save your configuration in Okta

Step 3: Set up provisioning options for Asana in your Okta account

In Okta

Under the applications tab, navigate to the Asana app and click on Provisioning.

okta provisioning options
To set up provisioning options:
  1. Under the Settings sidebar click on To App
  2. Click on Edit at the top right
  3. Enable user provisioning options for the Asana app and click Save to apply integration settings
We recommend you enable Create Users, Update User Attributes, and Deactivate Users.
import tab
Use the Import tab to reconcile the users detected in Asana with the users you have in your Okta domain. Import any Asana users that you’d like to create or assign Okta accounts for.
assignments tab
Administer the users assigned to Asana as you would with SAML using the Assignments tab. Users will now be automatically kept in sync with the Asana members list.

Step 4: Map provisioned users into teams in Asana

To map Okta groups to Asana teams, you can decide to push new groups into Asana or link groups in Okta to existing teams in Asana. If you’re linking groups, please ensure that the teams you’d like to map them to are already set up inside Asana. Find out more about how to create a team in Asana.

In the Okta admin portal:

  • Go to the Asana app and click on Refresh App Groups in the Push Groups tab to update any imports or changes that occurred in Asana. This ensures that all groups from the target app are represented in Okta.
  • Click the Action button (Group Push Settings) if you want the ability to rename a group in Asana when linking. We recommend not renaming the app group to avoid any unintended changes to team names in Asana.
push groups
push groups

 

  1. Click on Push Groups
  2. Select By name and use a keyword to find the group in Okta
  3. When the group appears in the table, click the Match results and push action drop-down menu. Choose Link Group if you’re trying to map a group to an existing team. Otherwise, select Create group. Click Save to apply integration settings.
 
Please note that deletion of teams in Asana from Okta isn’t supported by this integration. Please use the Teams tab in the admin console in Asana to manage and delete teams.

Step 5: Configure attribute mappings for Asana

To configure and map attributes to user profiles in Asana, please follow the following steps.

  • Go to the Asana app and click on the Provisioning tab.
  • Configure the right options under the Asana Attribute Mappings section.
  • Select Create or Create and Update from the choices under the Apply on column.
Attribute
Type
Info
Notes on limitations
userName
string
Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non - empty userName value, and it must be an email address. REQUIRED.
 
name
complex
The user’s name
 
name.given
string
Unsupported, use formatted
 
name.familyName
string
Unsupported, use formatted
 
name.formatted
string
The full name of the user
 
emails
complex
Email addresses for the user
 
emails.value
string
Email address for the user
 
email.primary
string
Whether this email address is the preferred email address for this user. True may only appear once for this attribute.
 
title
string
The user's title, such as "Vice President".
 
department
string
Identifies the name of the department that the user belongs to.
 
preferredLanguage
string
Indicates the User's preferred written or spoken language. Used for selecting a localized user interface; e.g., 'en_US' specifies the language English and country US.
“Preferred language” can only be set for a user when the user is being created in Asana. Updates to the preferredLanguage field in Okta for existing Asana users don’t get reflected inside Asana.
active
boolean
Indicate whether the user’s account is active in Asana.
 

addresses

Multi-valued complex

The user’s work address

 

address.country

string
The user’s country as a two-letter code e.g., “US”
 

address.region

string
The user’s region e.g., “CA”
 

address.locality

string

The user’s city e.g., “San Jose”

 
phoneNumbers
Multi-valued complex

The user’s phone

 
phoneNumber.value
string

The user’s phone number e.g.,

“543-111-1111”

 

User

complex

Enterprise user schema extension attribute for the user

 
User.department
string

Name of the department that
the user belongs to

 
User.costCenter
string

Name of the cost center the
user belongs to

 
User.organization
string

Name of the organization the
user belongs to

 
User.division
string

Name of the division the user
belongs to

 
User.employeeNumber
string

A string identifier, typically numeric or alphanumeric, assigned to a person

 
User.manager
complex

The user’s manager

 
User.manager.value
string

The user ID for the user’s manager

 


Step 6: How to update your current Asana - Okta integration

If you’re currently using the Asana - Okta integration, please use the following steps to enable/access the latest updates.

update integration

 

  1. Click Provisioning
  2. Click Integration
  3. Click Edit
  4. Uncheck the Enable API integration and click Save

Then, click Edit again, check Enable API integration, enter the API token and click Save. Then, enable provisioning features. After this, you’ll see new attribute updates and integration capabilities reflected in the integration.

  • When deprovisioning a user from Asana within Okta, the user will be deleted within Asana (same behavior as if the account were removed within the Asana UI). Please exercise caution when deactivating users.
  • Assigning the Asana app to users in Okta will create that user profile within Asana, and trigger the same behavior as if they had been invited to Asana. It's important to note this when informing users that they have been assigned the Asana app.
  • Changing the Okta username at the Asana application level (i.e. username override) will trigger a deactivate call on the previous username to be issued against Asana. If this previous username was associated with an active Asana account, it will be deleted. Please exercise caution when applying application level overrides.
  • When creating or updating users, the users must have emails which match the domain of the organization in Asana (e.g. you can only provision users with an @asana.com email domain to the asana.com Asana organization). Organization guests will continue to be provisioned and deprovisioned, and managed within the admin console's Members tab only.
  • A user’s formattedName must match givenName and familyName. When mismatch is found, formattedName takes precedence and could revert/override the givenName and familyName field value changes. So during attribute mapping or manual app user profile updates, please ensure that the formatted name’s value matches the string combination of givenName and familyName during profile push. For example:
    • givenName = new firstname
    • familyName = new lastname
    • formattedName = new firstname new lastname

OneLogin

Learn how to configure SCIM provisioning using OneLogin here.

To enable SCIM functionality with non-natively integrated IdPs please check the necessary accepted attributes here.

SCIM deprovisioning customization

The super admin of an organization can choose how a user’s tasks are handled after they have been deprovisioned via SCIM or the API.

When a user is deprovisioned from Asana, a Previously assigned tasks project containing all of the public tasks that were assigned to the user is created.

An organization-wide setting in the admin console allows you to choose a super admin to become the owner of this project. The project owner can reassign the tasks as they see fit.

To assign the project owner role to a super admin:

deprovisioning
Navigate to Member removal settings in the Security tab of the Admin Console.

member removal settings
  1. Toggle on the option Create a new project for tasks previously assigned to removed members.
  2. Choose All super admins or a specific super admin from the drop-down menu.
  3. Check the box if you wish to include completed tasks in the project.
These customization settings will only apply when the user is removed from the organization via SCIM or API with a Service Account token.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article