<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001OeBZ80ANOkta Classic EngineIntegrationsAnswered2025-09-29T15:58:52.000Z2025-09-17T16:52:35.000Z2025-09-29T15:58:52.000Z

AkhileshN.50943 (Customer) asked a question.

September 17, 2025 at 4:52 PM
How can I enable SCIM provisioning for only one AD group while maintaining SSO for multiple groups in a Salesforce integration?

We have a Salesforce app integrated with Okta using SAML SSO and SCIM provisioning. Two AD groups are assigned to this app:

  • Group X (requires SSO only, no provisioning)
  • Group Y (requires both SSO and SCIM provisioning)

SSO is working correctly for both groups. We now want to enable SCIM provisioning only for users in AD Group Y, while ensuring that Group X continues to have access via SSO but is excluded from SCIM provisioning actions (create, update, deactivate).

 

The Provisioning tab in the Salesforce app in Okta doesn’t seem to offer a way to filter provisioning actions by group.

My questions:

  1. Is there a supported way to scope SCIM provisioning to only apply to Group Y?
  2. Can this be done using assignments, Group Push, or other configuration steps?
  3. Is there a best practice to ensure Group X users are excluded from provisioning, but still retain SSO access?
  • 5 answers
  • 263 views
AkhileshN.50943 likes this.

  • Mihai Negoita - Okta (Okta, Inc.)

    Hi @AkhileshN.50943 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    While there is no out-of-the-box filtering for Provisioning feature, you might be able to achieve this by setting up two instances of the Salesforce app in Okta. 

    It's my understanding that Salesforce supports multiple IDPs, so in essence you would use the same Okta tenant but with two different SSO configuration. 

     

    ⚠️ If you have a preview/sandbox environment, I strongly recommend testing this there instead of Production. 

     

    The breakdown would be like this: 

     

    In Okta: You'll have two distinct Salesforce apps.

    • App 1 (SSO + Provisioning): Enabled for provisioning. - assign only Group Y (requires both SSO and SCIM provisioning)
    • App 2 (SSO Only): Provisioning disabled.- assign only Group X (requires SSO only, no provisioning)

     

     

    In Salesforce: You'll have two distinct SAML Single Sign-On configurations.

     

    • SAML Config 1: Corresponds to App 1 in Okta. You'll upload its metadata and give it a name like "Okta-SAML-Provisioning."
    • SAML Config 2: Corresponds to App 2 in Okta. You'll upload its metadata and give it a name like "Okta-SAML-SSO-Only."

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Just released: More Okta Community badges just added

    Join the discussion for our Ask Me Anything on September 29, 2025: Device Assurance. Ask our expert questions.

    Expand Post

    • AkhileshN.50943 (Customer)

      @Mihai Negoita - Okta (Okta, Inc.)​ Thanks for your response. I have a concern with this approach though!

       

      If we proceed with the two-apps approach, I’m concerned it might affect the end-user login experience, as users may be unsure which Salesforce app to choose during SSO. How do you recommend controlling that?

       

      Since AD Group X already has existing users, we want to ensure their login experience remains unchanged and seamless.

      Is there any way to achieve this within a single Salesforce application in Okta? Specifically, can we add a condition or filter to enable SCIM provisioning for only one AD group while keeping SSO active for both?

      Expand Post

  • KathyT.73511 (Anthropic Identity)

    I agree with the 2 app approach, but I would consider making one of your apps the SSO Only app, and the other the Provisioning Only app. All your users needing SSO will be assigned to the SSO Only app and only the SCIM users will be assigned to the Provisioning Only app (and this app would be hidden from your users).

     

    With this approach, you could have 2 groups, one for Only SSO and one for Provisioning/SSO. The ONLY SSO group would be assigned to your SSO Only app and the Provisioning/SSO group would be assigned to both apps so when they are added to the group, they are added to both apps.

    Expand Post

  • BrandonB.06003 (Customer)

    You have to do two separate apps for this if you want to do it that way. You can start with 2 apps then move to 1 app later. Or you can just have 2 apps and make sure the groups accross them are the same. ive done that many times and its fine

This question is closed.
Loading
How can I enable SCIM provisioning for only one AD group while maintaining SSO for multiple groups in a Salesforce integration?