Brex and Okta SCIM

OverviewOkta SCIM setup


A System for Cross-domain Identity Management (or a SCIM) is an integration that helps you automate user access for your company’s Brex account. It can be used to provision Brex user accounts for your employees after being added to your Okta instance. It can also disable users after their removal from your Okta instance.

Okta SCIM setup

You can connect an Okta SCIM account with your Brex account by following these steps: Note: Steps 1 and 2 are optional. If you’d prefer not to set up your Okta SAML SSO, skip to Step 3, however if you want to configure both Okta SSO and SCIM, make sure you complete the steps in the following order. Step 1: Set up the Okta SAML SSO for your account by reaching out to Brex Support with this information:

  • Your business name
  • Your email address (or the email address of the individual from your team that will be working on the SAML SSO setup)
  • A test user to be used for SAML SSO setup
  • A list of email domains that should be supported for SSO & SCIM
  • Whether or not you have HRIS enabled already
  • Whether or not you want users to be sent an invitation email automatically after being added to SCIM
    • If so, whether you want these users invited as the employee role type or the reimbursements-only role type.

Step 2: Wait 3-5 business days for a response email from our team with instructions on how to create the SAML SSO application in Okta. Once successfully set up, our team will test an enable SAML SSO for your account. Step 3: Go to the Applications page in your Okta admin dashboard. Step 4: Click Browse App Catalog to create a new SCIM application. Step 5: Search for SCIM and choose the SCIM 2.0 Test App with basic authentication. Step 6: Click Add Integration. Step 7: Enter a name for your application, check the box to hide the application from users, and click Next. Step 8: If not already, set Application username format to Okta username. Leave everything else as the default and click Done to create the application. Step 9: Go to the Provisioning tab and click Configure API Integration. Step 10: Enter your SCIM API credentials (these will be sent to you via a secure document from our team) and click Test API Credentials to confirm the settings are correct. Step 11: Go to the To App tab and click the checkbox to enable Create Users, Update User Attributes, and Deactivate Users. You can also verify mapping in the attribute mapping section below. The defaults we expect for mappings can be found in the screenshot at the bottom of the page.

Attributes map to Brex as follows:

  • Department: This maps to the department attribute in Brex.
  • Cost Center: This maps to the cost center attribute in Brex.
  • Division: This attribute maps to the legal entity in Brex.
    • Note: Currently, legal entities are expected to already exist in Brex before employees can be mapped to them. To create legal entities please go to the Brex dashboard.
  • Manager value: This attribute maps to the manager email in Brex. For manager import, make sure to map the manager’s email to the manager value. More times than not this will be the “user.managerId” in Okta. But if it isn't, map the correct attribute here.
  • Country: This attribute currently maps to the Location attribute in Brex. Okta supports this as a 2 character country code.

You’ve now integrated Okta SCIM with your Brex account. You can test your setup by assigning the SCIM app to an Okta user to verify the user is provisioned in the Teams page of your Brex dashboard.

AttributeAttribute typeValueApply on
Username userNamePersonalConfigured in Sign On settings
Given name givenNamePersonaluser.firstNameCreate and update
Family name familyNamePersonaluser.lastNameCreate and update
Middle name middleNamePersonaluser.middleNameCreate and update
Honorific prefix honorificPrefixPersonaluser.honorificPrefixCreate and update
Honorific suffix honorificSuffixPersonaluser.honorificSuffixCreate and update
Email emailPersonaluser.emailCreate and update
Primary email type emailTypePersonal( != null && !=”) ? ‘work’ :”Create and update
Title titlePersonaluser.titleCreate and update
Display name displayNamePersonaluser.displayNameCreate and update
Nickname nicknamePersonaluser.nickNameCreate and update
Profile Url profileUrlPersonaluser.profileUrlCreate and update
Primary phone primaryPhonePersonaluser.primaryPhoneCreate and update
Primary phone type primaryPhoneTypePersonal(user.primaryPhone != nul && user.primaryPhone != “) ? work :”Create and update
Address type addressTypePersonal(user.streetAddress != null && user.primaryPhone != “) ? ‘work’ :”Create and update
Street address streetAddressPersonaluser.streetAddressCreate and update
Locality localityPersonaluser.cityCreate and update
Region regionPersonaluser.stateCreate and update
Postal Code postalCodePersonaluser.zipCodeCreate and update
Country countryPersonaluser.countryCodeCreate and update
Formatted formattedPersonaluser.postalAddressCreate and update
Preferred language preferredLanguageGroupuser.preferredLanguageCreate and update
Locale Name localeGroupuser.localeCreate and update
Time zone timezoneGroupuser.timezoneCreate and update
User type userTypeGroupuser.userTypeCreate and update
Employee number employeeNumberPersonaluser.employeeNumberCreate and update
Cost center costCenterGroupuser.costCenterCreate and update
Organization organizationGroupuser.organizationCreate and update
Division divisionGroupuser.divisionCreate and update
Department departmentGroupuser.departmentCreate and update
Manager value managerValuePersonaluser.manageridCreate and update
Manager display name managerDisplayNamePersonaluser.managerCreate and update
Was this article helpful?