By the end of this tutorial, you'll know how to configure Single Sign-On (SSO) and automated user provisioning (SCIM) between Okta and Claap so your team logs in with company credentials and user access stays in sync automatically.

Managing Claap access manually inviting new hires, suspending leavers, updating roles creates administrative overhead and security gaps. Connecting Okta to Claap through SSO and SCIM eliminates that work: access is granted the moment someone joins Okta and revoked the moment they leave, with no action required in Claap.

You should already have:

Domain verification proves you own the email domain(s) your team uses. Claap requires this before SSO can be enabled, to ensure only users with verified company email addresses can access your workspace through SSO.

Step 1: Open your SSO settings in Claap

Go to [Settings] > [Security] > [Single Sign-On].

This is where domain verification and all SSO configuration lives.

Step 2: Add your company domain

Enter your company's email domain (for example, company.com) and click [Add Domain].

You can add multiple domains for example, a parent company and a subsidiary. Each domain must be verified separately.

Step 3: Add the DNS TXT record to your domain

Claap will display a TXT record value. Add this TXT record to your domain's DNS settings through your DNS provider (for example, Cloudflare, Route 53, or GoDaddy).

DNS changes can take up to 48 hours to propagate. Once propagation is complete, return to [Settings] > [Security] > [Single Sign-On] and click [Verify Domain].

Verify: The domain status in [Settings] > [Security] > [Single Sign-On] should change to "Verified."

With your domain verified in Claap, your IT administrator sets up the Claap application in Okta and links the two systems. This phase requires coordination between the Claap workspace Admin and the Okta administrator.

Step 4: Create the Claap application in Okta

Your IT administrator opens the Okta Admin console and searches the app catalog for Claap. Add the Claap application to your Okta organization.

Step 5: Share Okta configuration details with Claap

Your IT administrator provides the Okta SSO configuration details (Identity Provider SSO URL, Issuer, and X.509 certificate) to your Claap account manager or support team.

Claap uses these details to complete the connection on the Claap side. Your account manager will confirm when the configuration is active.

Step 6: Configure user groups and role assignments in Okta

In Okta, assign users to groups that map to Claap roles and licenses. The available mappings are:

When a user belongs to multiple groups, Claap assigns the highest-level role and license across all groups.

Verify: Assign a test user to the Claap app in Okta and confirm the user appears in your Claap workspace under [Settings] > [Members].

SCIM (System for Cross-domain Identity Management) keeps user accounts synchronized between Okta and Claap automatically. Enabling SCIM changes how user management works in your workspace review the changes below before activating.

Step 7: Activate SCIM provisioning

Work with your Claap account manager to enable SCIM for your workspace. Once active, Okta becomes the source of truth for user provisioning.

The following table shows what changes when SCIM is enabled:

Additional SCIM behaviors to be aware of:

Step 8: Match existing users to Okta accounts

When you activate SCIM, Claap matches existing workspace members to their Okta accounts by email address. Any user not found in Okta will be suspended automatically.

Review your existing member list in [Settings] > [Members] before enabling SCIM to identify any users who may not have matching Okta accounts.