Home Auth and Provisioning

Auth and Provisioning

Securely manage user access with SAML SSO and SCIM. Simplify sign-ins, automate account setup, and ensure teams have the right access from day one.
Erik Wetzel
By Erik Wetzel
2 articles

Setting up SCIM with Okta

1. Set SAML_DATABASE_URL to a Postgres database. Please use a different database than the main Cal instance since the migrations are separate for this database. For example postgresql://postgres:@localhost:5450/cal-saml. If you are using a self-signed certificate for Postgres, then use the sslmode=no-verify query parameter in the database URL. For example postgresql://postgres:@localhost:5450/cal-saml?sslmode=no-verify. 2. Set SAML_ADMINS to a comma-separated list of admin emails who can configure the OIDC. 3. Create an application with your OIDC provider. For example, in Okta, once you create an account, you can click on Applications on the sidebar menu: 4. Click on Create App Integration 5. Select SAML or OIDC in the modal form, along with Web App and click Next. Note you will have to fill in the appropriate fields for the SAML or OIDC setup to continue. 6. Once the application is created, under General -> App Settings, click “Edit” and click the checkbox “Enable SCIM provisioning” 7. Next go to your instance of Schedly and navigate to {BASE_URL}/settings/organization/dsync and click configure. 8. In the “Configure Directory Sync” from choose a directory sync name and choose “Okta SCIM v2.0” as the “Directory Provider” 9. Take note of the “SCIM Base URL” and “SCIM Bearer Token” 10. Okta go to your application. Navigate to the “Provisioning” tab and click “Integration” under “Settings”. - Under “SCIM connector base URL” enter the “SCIM Base URL” from Schedly - Under “Unique identifier field for users” enter “email” - Under “Supported provisioning actions” enable: - “Import New Users and Profile Updates” - “Push New Users” - “Push Profile Updates” - “Push Groups” - Under “Authentication Mode” choose “HTTP Header” - Under “Authentication” enter the “SCIM Bearer Token” from Schedly - When you hit save it will make a test call to the “SCIM Base URL” 11. When you hit save navigate to “To App” settings, still under the “Provisioning” tab 12. Under “Provisioning to App” click “Edit” and enable: - “Create User” - “Update User Attributes” - “Deactivate User” 13. Under “{Your application name} Attribute Mapping”, remove all fields except for: - “username” - “givenName” - “familyName” - “email” - “displayName” 14. Set each of these of these properties to “Map from Okta Profile” and the related field. Under “Apply On” select “Create and Update” 15. You can now assign users and groups to the app. Mapping Okta Groups to Schedly Teams When provisioning groups to your organization, Okta groups can be mapped to teams within your organization and users will be auto-assigned to these teams. On**{BASE_URL}/settings/organization/dsync**there is a table with the teams under your organization. Click on “Add group name” to map the Okta group to the team. Note: The group name must be spelt exactly as it is shown on Okta.. When you push the group to your organization then those users will automatically be added to the team.

Last updated on Aug 29, 2025

Setting up OIDC with Okta

1. Set SAML_DATABASE_URL to a Postgres database. Please use a different database than the main Cal instance since the migrations are separate for this database. For example postgresql://postgres:@localhost:5450/cal-saml. If you are using a self-signed certificate for Postgres then use the sslmode=no-verify query param in the database URL. For example postgresql://postgres:@localhost:5450/cal-saml?sslmode=no-verify. 2. Set SAML_ADMINS to a comma separated list of admin emails who can configure the OIDC. 3. Create an application with your OIDC provider. For example, in Okta, once you create an account, you can click on Applications on the sidebar menu: 4. Click on Create App Integration 5. Select OIDC in the modal form, along with Web App and click Next. 6. Enter the Sign in redirect URL (or auth URL) as {BASE_URL}/api/auth/oidc And the sign out URL as {BASE_URL}/auth/login where is your app’s base URL, and click save. Please replace {BASE_URL} here with respective URL, such as localhost:3000 for localhost testing, for example. 7. Now you should have the Client Secret and Client ID with you. You would also need the Well Known URL which for Okta is generally of the type: https://{yourOktaDomain}/.well-known/openid-configuration So, if your okta domain is dev-123456.okta.com, your well known URL would be https://dev-123456.okta.com/.well-known/openid-configuration 8. Now spin up Schedly on your server and login with the Admin user (the email ID of which was provided in step 2 for SAML_ADMINS environment variable). 9. Visit {BASE_URL}/settings/security/sso and you should see something like this: 10. Click on Configure SSO with OIDC, and then enter the Client Secret, Client ID and Well known URL from the Step 7, and click save.

Last updated on Aug 29, 2025