Using Trello SCIM for Okta
Note about user provisioning with the new version of Trello Enterprise:
If your Workspace is using Trello Enterprise with Atlassian Access, you'll use a different set of instructions for user provisioning found here.
Trello supports a subset of the SCIM 2.0 standard. It enables Trello Enterprise customers to manage Trello accounts. This SCIM integration is built by Trello. For SCIM support requests, please contact us through https://trello.com/contact.
Currently Supported Features
- Returning a list of Trello users that belong to an enterprise’s Workspaces or boards
- Returning a list of Trello Workspaces and boards that belong to an enterprise
- Deactivating and reactivating a Trello user from all enterprise Workspaces and boards
- Provisioning a new Trello user
Trello’s SCIM API is available at https://trello.com/scim/v2. It requires an enterprise token for access. As an enterprise administrator, a token can be obtained from https://trello.com/my/enterprise/token.
After obtaining a token, copy and paste the token value as the API Token setting, under the Provisioning tab, in the “API Credentials” section of your Trello Okta application.
This Okta SCIM integration uses email address to match an existing Trello account. Verify that the “Okta username format” is email address in the “User Import” configuration section.
Ensure that “Deactivate Users” is enabled in “Provisioning Features”.
Trello enables ‘active status’ assignment of Okta users that belong to an enterprise’s Workspaces or boards. To deactivate an Okta user and deactivate them from all enterprise Workspaces and boards, unassign the user from the “People” tab of the Trello Okta application.
Provisioning New Users
If an Okta user is assigned to the Trello application, Okta will attempt to find a Trello user (within the enterprise) who matches the email address. If none is found, Okta will trigger the creation of a new Trello user. This user’s name and email address will be completed, and this user will be associated with the enterprise within Trello.
If the user’s email address matches one of the Trello Enterprise’s allowlist domains, the user will not need to confirm via their email inbox. Otherwise, they will receive an email asking them to confirm their account before fully using Trello.
That the standard restrictions on usernames apply, and the provisioning will fail if the username in a provisioning request contains, for example, special characters. If no username is sent, a username will be autogenerated.
Note that if a Trello user exists with a given email address, but that user is not associated to the enterprise within Trello (such as by being part of an enterprise Workspace), Okta will not be able to create a new user or create a link to the Trello member (Trello will respond with a “409 Conflict” error). That existing Trello user will first need to be added to an enterprise Workspace, or log into the Trello account with SSO.
Trello stores a user’s full name as a single piece so we can best support the many varieties of name formats used around the world. As such, Trello will use the Display Name from Okta as the user’s full name, not the First Name or Last Name parts.
Known Issues and Notes
This SCIM integration matches Okta users and Trello accounts together using an email address. In order to manage existing Trello accounts, the Okta primary SMTP email address must match an account that exists in Trello. If this email doesn't match, a new account will be created.
To associate a new email with an existing Trello account, see this guide.