SSO and SCIM

Single sign-on (SSO) is an authentication scheme that allows users to log in to Storyblok using their existing accounts from trusted third-party services.

SSO ensures secure, seamless access with a single ID managed by a specialized identity provider (IdP), which eliminates the need to create additional, per-app accounts.

Note

SSO is a Premium and Elite feature. Learn more on the pricing page.

SSO providers

Storyblok supports the following IdPs and SAML standards:

Identity providers

• Auth0
• Google Workspace
• JumpCloud
• Microsoft Entra ID
• Okta
• OneLogin
• Salesforce

SAML standards

• SAML 2.0
• SAML 1.0

What is SCIM

In addition to SSO, Storyblok organization and space admins can use the system for cross-domain identity management (SCIM) standard to reduce manual processes and keep access in sync.

An open standard for user provisioning, SCIM automatically creates and updates users from an IdP, and manages Storyblok space assignments through groups.

Storyblok acts as the server that receives the requests and supports SCIM provisioning via two IdPs: Microsoft Entra and ID Okta. These services act as the clients that send requests.

Set up SSO with Microsoft Entra ID

To configure SSO with Microsoft Entra ID, first contact Storyblok’s support team and provide your tenant ID and the domains you use for SSO login.

Follow Microsoft's guide to find your Entra tenant ID.

1. Create an enterprise application

   Follow Microsoft's guide to add an enterprise application for Storyblok.

   
   

2. Configure the callback URLs

   In Storyblok, open your organization's Settings → SSO & Provisioning, and copy the SSO Identifier. For more information, check the Organizations manual security section.

   Back in Microsoft's dashboard, paste the following values in the relevant fields—replace YOUR-SSO-IDENTIFIER with your actual SSO Identifier:

   Field name	Values
   Identifier (Entity ID)	https://mapi.storyblok.com/saml/metadata?connection=YOUR-SSO-IDENTIFIER
   Reply URL (Assertion Consumer Service URL)	https://mapi.storyblok.com/saml/consume?connection=YOUR-SSO-IDENTIFIER

   
   

   Note

   If you operate in China, replace https://mapi.storyblok.com with https://app.storyblokchina.cn in the SAML URLs.

   
   

3. Verify the SSO setup in Storyblok

   Once you're done, open Storyblok and confirm that the Sign in via SSO button appears for users who access one of the configured domains.

Provision SCIM on Microsoft Entra ID

To enable SCIM provisioning for your organization, contact Storyblok’s support team.

1. Configure automatic user provisioning

   Follow Microsoft’s guide to configure automatic user provisioning.

   
   

   Find the Tenant URL and Secret Token in your Storyblok organization: open Settings → SSO & Provisioning, copy the SCIM Base URL, and paste it into the Tenant URL field in Microsoft Entra ID. Then, generate the SCIM token and paste it into the Secret Token field.

   Note

   Each organization can have only one active SCIM token at a time.

2. Manage users and groups in Microsoft Entra ID

   To assign and unassign users of an enterprise application in Microsoft Entra ID, follow Microsoft’s guide on assigning users and groups to an application.

   
   

   To assign users to a group, follow Microsoft’s guide on how to Manage Microsoft Entra groups and group membership.

   
   

3. Map Storyblok space roles to Microsoft Entra ID groups

   To integrate Storyblok space roles with Microsoft Entra ID groups, open Settings → Roles and select the desired role. Then, enable This role is for integration with SSO, and paste the group’s External ID into the External ID (Used for SSO) field.

   Find the External ID of the Microsoft Entra ID groups you configured for your organization: open Settings → SSO & Provisioning → SCIM Groups section.

   Note

   Storyblok does not provision organization owners and admins through SCIM.

   
   

4. Start the provision

   
   

   In Microsoft Entra ID, open Enterprise Applications → Your_Enterprise_Application → Provisioning and select Start provisioning. Microsoft Entra ID starts an initial provisioning cycle and then continues with automatic incremental synchronization. For details, visit Microsoft’s guide on checking the status of user provisioning.

   
   

   Tip

   For immediate testing, use Provision on demand.

   
   

5. Verify the SCIM provisioning setup in Storyblok

   
   

   Finally, to verify the SCIM provisioning in Storyblok, check that the assigned users who accepted the invite to the Storyblok space appear with an euid in this format: user-scim-externalid|scim|{org_id}|@yourdomain.com

   
   

Revoke user access

To verify that Microsoft Entra ID correctly revokes user access in Storyblok, follow the steps below:

1. Disable a user or remove them from the enterprise application in Microsoft Entra ID.
2. Start provisioning.
3. Wait for the synchronization cycle to complete.
4. Confirm that Storyblok disables the user in the organization.

Set up SSO with Okta

To configure SSO with Okta, first contact Storyblok’s support team and provide your IdP metadata (an XML file) and the domains you use for SSO login.

1. Create the Storyblok application in Okta

   Follow Okta's guide to create SAML app Integrations.

2. Configure the callback URLs

   In Storyblok, open your organization's Settings → SSO & Provisioning, and copy the SSO Identifier. For more information, check the Organizations manual security section.

   Back in Okta, paste the following values in the relevant fields—replace YOUR-SSO-IDENTIFIER with your actual SSO Identifier:

   Field name	Values
   Audience URI (SP Entity ID)	https://mapi.storyblok.com/saml/metadata?connection=YOUR-SSO-IDENTIFIER
   Single sign-on URL	https://mapi.storyblok.com/saml/consume?connection=YOUR-SSO-IDENTIFIER

   
   

   Note

   If you operate in China, replace https://mapi.storyblok.com with https://app.storyblokchina.cn in the SAML URLs.

   
   

3. Verify the SSO setup in Storyblok

   Once you're done, open Storyblok and confirm that the Sign in via SSO button appears for users who access one of the configured domains.

Provision SCIM on Okta

To enable SCIM provisioning for your organization, contact Storyblok's support team.

1. Configure automatic user provisioning

   Follow Okta’s guide to add SCIM provisioning.

   Find the Tenant URL and Secret Token in your Storyblok organization: open Settings → SSO & Provisioning, copy the SCIM Base URL, and paste it into the SCIM connector base URL field in Okta. Then, select HTTP Header as the authentication mode, and paste the SCIM token from Storyblok in the Authorization field.

   Storyblok supports all provisioning actions.

   Note

   Each organization can have only one active SCIM token at a time.

2. Manage users and groups in Okta

   First, follow Okta's guide on creating a user. Next, assign the user to the Storyblok app. Then, follow the steps to create a group, and finally, assign them to a group.

3. Map Storyblok space roles to Okta groups

   To integrate Storyblok space roles with Okta groups, open Settings → Roles and select the desired role. Then, enable This role is for integration with SSO, and paste the group's External ID into the External ID (Used for SSO) field.

   Find the External ID of the Okta groups you configured for your organization: open Settings → SSO & Provisioning → SCIM Groups section.

   Note

   Storyblok does not provision organization owners and admins through SCIM.

4. Verify the SCIM provisioning setup in Storyblok

   
   

   Finally, to verify the SCIM provisioning in Storyblok, check that the assigned users who accepted the invite to the Storyblok space appear with an euid in this format: user-scim-externalid|scim|{org_id}|@yourdomain.com

   
   

Revoke user access

To verify that Okta correctly revokes user access in Storyblok, unassign the user from the Storyblok app in Okta. Storyblok automatically disables the user in your organization.