The Firstup create user API allows you to integrate with SCIM-compliant providers. This SCIM-compliant data sync allows you to create one user record across multiple applications.
Create your single-user record in an external SCIM-compliant application, and sync with our API to create a Firstup user record with the same execution.
Firstup supports Just-in-Time (JIT). If your SCIM-compliant provider (e.g. an IDP like Okta) authenticates a user successfully, but they don't yet have a user account with us, Firstup automatically creates a registered user for the Employee Experience.
Review how our Create User API works before integrating.
These steps guide you through creating your Firstup users from OKTA. Your user record will be a SCIM-compliant record, linked to external applications.
These steps are designed to guide you with Firstup specific information. Refer to Okta's documentation for guidance on their external platform.
There is a current known Okta provisioning error. See our Okta User Group Provisioning Issue guidance below.
- Sign in to your Okta admin dashboard.
- Navigate to Applications > Create App Integration.
- Select SCIM 2.0 as the provisioning type.
- Enter the following details:
- Base URL: region specific (see below)
- Authentication Method: Bearer Token
- API Token: Enter your Firstup API token
- Click Save to apply the settings.
Base URLs:
- US1: https://auth.socialchorus.com
- US2: https://auth.us2.onfirstup.com
- EU: https://auth.onfirstup.eu
- In your Okta admin console, go to Provisioning > Integration.
- Click Edit and check the box for Enable SCIM provisioning.
- Configure the following actions:
- Create Users: Enabled
- Update Users: Enabled (optional, based on your needs)
- Deactivate Users: Enabled (optional, for user lifecycle management)
- Click Save.
- Go to Provisioning > To App.
- Click Edit to customize attribute mappings.
- Map Okta user attributes to Firstup's SCIM attributes as needed.
- Click Save Mappings and apply updates.
- Assign a test user to the Firstup SCIM app in Okta.
- Confirm that the user is successfully created in Firstup by checking your Firstup admin portal or using the SCIM API.
- If issues arise, review logs in Okta or inspect API responses from Firstup.
We recommend including these standard user attributes and the required attributes:
| Firstup Attribute | Requirement | Format | SCIM Attribute | Description |
|---|---|---|---|---|
universal_identifier | Required | String | username | The user's community login. This is the same for web and mobile experience. |
first_name | Recommended | String | givenname | The user's name. This is recommended especially if you're bulk provisioning users. |
last_name | Recommended | String | familyname | The user's name. This is recommended especially if you're bulk provisioning users. |
emails.value | Recommended | String | emails.value | The user's email address (external to Firstup). This is recommended so the user receives their community invitation. |
Refer to SCIM user attributes for the full table of SCIM compliant user attributes.
Refer to custom user attributes for custom Firstup attributes.
When provisioning a group via OKTA SCIM, if group members are included in the initial group creation (POST) request, OKTA immediately issues a GET to confirm creation.
This GET returns a 404 for 20 minutes, breaking sync.
The issue only occurs with OKTA, not other SCIM providers.
- Create the group, and untick the memberships box.
- Activate the group, and push members. This results in an error.
- Remove the group.
- Then create thre group again without the users being pushed. This group needs exact same name.
- Untick the memberships box.
- Push users.
OKTA sometimes delays marking a group as "enabled" if members are included in the initial POST, causing immediate GETs to fail.
By separating group creation and member assignment, you avoid the timing/state issue that leads to 404 errors.