You want to automate user provisioning and deprovisioning between Okta and your Notion workspace to reduce manual admin work. Notion supports SCIM 2.0 for identity management, and Okta acts as the identity provider that pushes user changes to Notion. This article explains how to configure the Notion SCIM integration in Okta, set up attribute mappings, and test the connection so that new hires, role changes, and terminations sync automatically.
Key Takeaways: SCIM Provisioning Between Okta and Notion
- Settings & Members > Settings > SCIM Integration: Generate the SCIM bearer token that Okta uses to connect to your Notion workspace.
- Okta Admin Console > Applications > Notion > Provisioning: Enable SCIM and paste the Notion SCIM base URL and token into Okta’s provisioning settings.
- Okta Admin Console > Profile Editor > Notion User: Map Okta attributes like email and displayName to the corresponding Notion SCIM attributes to ensure correct data flow.
What Is SCIM Provisioning and Why Use It With Notion
SCIM stands for System for Cross-domain Identity Management. It is an open standard that allows identity providers like Okta to automatically create, update, and delete user accounts in a service provider like Notion. Without SCIM, an admin must manually add each user to the Notion workspace and remove them when they leave. With SCIM, Okta sends a push request to Notion every time a user is assigned to the Notion app or removed from it.
Notion supports SCIM 2.0 on its Business and Enterprise plans. The feature is not available on Free or Plus plans. Before you begin, confirm that your Notion workspace is on a Business or Enterprise plan and that you have workspace owner permissions. You also need Okta administrator access with permission to add and configure applications.
The integration uses a bearer token that Notion generates. Okta uses this token to authenticate all SCIM API calls. The token never expires, but you can regenerate it from the Notion SCIM settings page if needed. The connection is outbound from Okta to Notion; Okta initiates all provisioning requests.
Steps to Configure Notion SCIM Provisioning in Okta
Follow these steps in order. Do not skip the token generation step, because Okta requires the token before you can enable provisioning.
- Generate the SCIM Bearer Token in Notion
Open Notion and go to Settings & Members from the left sidebar. Select the Settings tab, then scroll down to SCIM Integration. Click Generate Token. Copy the token string that appears. Store it in a secure password manager because you cannot view it again after closing the dialog. - Add the Notion Application in Okta
Sign in to the Okta Admin Console. Go to Applications > Applications and click Add Application. Search for Notion in the app catalog. Select Notion and click Add. On the General Settings page, enter a display name for the app and click Done. - Enable SCIM Provisioning in Okta
In the Okta Admin Console, go to Applications > Applications and click the Notion app you just created. Open the Provisioning tab. Click Configure API Integration. Check the box titled Enable API integration. Paste the SCIM base URL into the API Token field. The SCIM base URL is alwayshttps://api.notion.com/v1/scim/v2. Paste the bearer token you copied from Notion into the API Token field. Click Test API Credentials. A success message confirms the connection. Click Save. - Configure Provisioning Features
Still in the Provisioning tab, click To App under the Settings heading. Click Edit. Check the boxes for Create Users, Update User Attributes, and Deactivate Users. These three options enable full lifecycle management. Click Save. - Map Okta Attributes to Notion SCIM Attributes
In the Provisioning tab, go to Attribute Mappings. Click the Mappings heading and select Okta User to Notion. The default mapping sends email to userName and displayName to displayName. Verify that the following mappings exist: email maps to userName, displayName maps to displayName, and name.givenName maps to name.givenName. If any mapping is missing, click Add Mapping and select the correct Okta attribute and Notion attribute. Click Save Mappings. - Assign Users to the Notion App
Go to Applications > Applications and click the Notion app. Open the Assignments tab. Click Assign and select Assign to People. Search for a test user and click Assign. Confirm the assignment. Okta pushes the user to Notion within a few minutes. You can force a push by clicking the Push Now button in the Provisioning tab. - Verify the Provisioning in Notion
Open Notion and go to Settings & Members. Under the Members section, confirm that the assigned user appears with the correct name and email. The user should have a Member or Admin role depending on the Okta group assignment. Remove the user from the Okta app assignment to test deprovisioning. The user should disappear from the Notion members list within minutes.
If SCIM Provisioning Fails or Behaves Unexpectedly
Okta Returns a 401 Unauthorized Error When Testing API Credentials
This error means the bearer token is invalid or expired. Notion tokens do not expire, but you may have copied the token incorrectly. Regenerate the token in Notion and paste it into Okta again. Ensure there are no extra spaces before or after the token string. If the error persists, confirm that your Notion workspace is on a Business or Enterprise plan. SCIM is not available on Free or Plus plans.
User Is Created in Notion but Shows the Wrong Name
The attribute mapping in Okta may be incorrect. Go to the Provisioning tab and open Attribute Mappings. Verify that the Okta attribute displayName maps to the Notion attribute displayName and that name.givenName maps to name.givenName. If you use a custom Okta attribute for the user’s full name, map that custom attribute instead of displayName. Save the mapping and push the user again.
User Is Not Deprovisioned After Removal From Okta
Open the Provisioning tab in the Okta Notion app and confirm that Deactivate Users is checked. If it is checked, check the Okta system log for provisioning errors. Go to Reports > System Log and filter by event type application.provision.user_deactivate. If the log shows a success but the user still appears in Notion, wait up to 10 minutes for the SCIM sync to complete. You can also manually deactivate the user in Notion from Settings & Members.
SCIM Token Was Accidentally Exposed
Regenerate the token immediately in Notion from Settings & Members > Settings > SCIM Integration. Click Generate Token again. The old token becomes invalid. Update the API Token field in the Okta provisioning settings with the new token and save.
| Item | Notion Free / Plus | Notion Business / Enterprise |
|---|---|---|
| SCIM 2.0 support | Not available | Available |
| Bearer token generation | No SCIM settings page | Settings & Members > SCIM Integration |
| User lifecycle automation | Manual only | Automatic via Okta |
| Attribute mapping control | None | Okta profile editor |
| Deprovisioning | Manual removal | Automatic on Okta user deactivation |
You can now provision and deprovision Notion users automatically through Okta without touching the Notion admin panel. Test the integration with a small group of users before rolling out to the entire organization. For advanced control, use Okta group rules to assign the Notion app based on department or role, which reduces manual assignment work.