For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
        • Organization users
        • Workspace users
        • Teams
        • Set up SSO
        • Set up IP Access List
        • Set up SCIM provisioning
        • Manage domains
        • User permissions reference
        • API authentication and token security
        • Dag-level access control
      • Billing
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Supported SSO identity providers
  • Supported Okta features
  • Prerequisites
  • Setup
  • Frequently asked questions
  • What if an Okta group is out of sync with an Astro Team?
  • What if an Okta user is out of sync with their Astro user account?
AdministrationUser access

Set up SCIM provisioning on Astro

Edit this page
Built with
This is feature is only available if you are on the Enterprise tier or above. See Astro Plans and Pricing.

Astro supports integration with the open standard System for Cross-Domain Identity Management (SCIM). Using the SCIM protocol with Astro allows you to automatically provision and deprovision users and Teams based on templates for access and permissions. It also provides better observability through your identity provider for when users and Teams are created or modified across your organization. Specifically, you can utilize SCIM provisioning to complete the following Astro actions from your identity provider platform:

  • Create and remove users in your Organization.
  • Update user profile information.
  • Create and remove Astro Teams.
  • Add and remove Team members.
  • Retrieve user and Team information.

Some user management features on Astro behave differently after you set up SCIM provisioning. See Manage Teams for more information. Astro doesn’t support group nesting for SCIM provisioning. Access levels assigned to parent groups don’t automatically propagate to child groups, so each group must be individually assigned the required access levels.

Supported SSO identity providers

Astro supports SCIM provisioning with the following IdPs:

  • Microsoft Entra ID
  • Okta

Supported Okta features

Okta’s Astro integration supports the following SCIM actions:

  • Create users
  • Update user attributes
  • Deactivate users
  • Group push

Prerequisites

  • A configured identity provider. See Set up SSO.

Setup

Okta - Astro integration (Recommended)
Okta - Manual
Microsoft Entra ID

  1. Create an Organization API token with Organization Owner permissions. See Organization API tokens. Copy the token to use later in this setup.

  2. In the Astro UI, click Organization Settings.

  3. On the General page, copy your Organization ID to use later in this setup.

  4. Go to Settings > Authentication. In the Advanced Settings menu, click Edit Settings, then click the SCIM integration toggle to on.

  5. In the Okta admin dashboard, open your Astro app integration and click Provisioning.

  6. Click Configure API integration, check Enable API integration, then configure the following values:

    • Organization ID: Enter your Organization ID.
    • API token: Enter your Organization API token.

  7. Test your API credentials, then click Save.

  8. In the Provisioning menu, click To App and configure the following:

  • Provisioning to App: Select only Create Users, Update User Attributes, and Deactivate Users.

    See Okta documentation for more information on configuring these values.

  1. Create user groups and push them to Astro. User groups pushed to Astro appear as Teams in the Astro UI. See Okta documentation for setup steps.

Frequently asked questions

What if an Okta group is out of sync with an Astro Team?

  1. In the Okta dashboard, open the Astro application and click Push Groups.
  2. Click the value in Push Status for the group that’s out of sync, then click Push now.

What if an Okta user is out of sync with their Astro user account?

If you removed an Okta user but their Astro account remains, delete the account from Astro.

If an Astro user isn’t appearing for an Okta user as expected, remove and re-assign the user in Okta.