Connecting Spark to Okta: An Integration Guide
How this integration works
Spark serves as your authoritative HR source and the "source of truth" for all employee data. This integration offers two primary capabilities:
Spark serves as your authoritative HR source and the "source of truth" for all employee data. This integration offers two primary capabilities:
- Single Sign-On (SSO): You can sign in to Spark using your Okta credentials (via OpenID Connect). This includes a Spark card on your Okta End-User Dashboard for easy access.
- Automatic User Provisioning: Keep your Okta directory in sync with Spark using the SCIM 2.0 protocol.
- Import-only model: Data flows in one direction - from Spark to Okta.
- Master data management: Spark is the driver for user lifecycle events. User creation, profile updates, and deactivation must be performed in Spark, and Okta will reflect these changes during each import.
Prerequisites
Before you begin the integration, ensure you have the following requirements in place. These enable the Single Sign-On (SSO) and automatic user synchronization features.
Before you begin the integration, ensure you have the following requirements in place. These enable the Single Sign-On (SSO) and automatic user synchronization features.
- You must have an active Okta administrator account and administrative access to your Spark tenant.
- Your Spark workspace must be accessible via your unique URL (e.g., https://{workspace}.spark.work).
- For security and functionality, a Spark user profile must already exist for every individual who will sign in via Okta.
Enable the integration for your tenant
Before the Okta integration appears in your Spark Marketplace, it must be activated for your tenant. This is a one-time step.
Subject: Enable Okta integration — {your Spark workspace}
Include: our Spark workspace URL ( https://{workspace}.spark.work ) and your
admin contact.
Template:
Hi Spark team,
Please enable the Okta integration for our tenant {workspace}
( https://{workspace}.spark.work ).
Admin contact: {name} / {email}.
Thank you!
Before the Okta integration appears in your Spark Marketplace, it must be activated for your tenant. This is a one-time step.
1. Request activation: Email the Spark team to enable the Okta integration for your
tenant.
Subject: Enable Okta integration — {your Spark workspace}
Include: our Spark workspace URL ( https://{workspace}.spark.work ) and your
admin contact.
Template:
Hi Spark team,
Please enable the Okta integration for our tenant {workspace}
( https://{workspace}.spark.work ).
Admin contact: {name} / {email}.
Thank you!
2. Connect from the Marketplace. Once Spark confirms the integration is enabled, a tenant administrator:
- Opens the Spark Marketplace
https://{workspace}.spark.work/marketplace/integrations **. - Finds the Okta integration and clicks Connect.
This unlocks the SSO and SCIM configuration described below.
Part A — Single Sign-On (OpenID Connect)
A1. Create the OIDC app in Okta
If you are installing Spark from the Okta Integration Network catalog, the app is created automatically. In this case, skip these steps and proceed directly to A2.
If you are setting up a custom OIDC app:
1. Okta Admin Console → Applications → Create App Integration.
2. Sign-in method: OIDC – OpenID Connect. Application type: Web Application.
3. Sign-in redirect URI:
https://auth.spark.work/api/OktaAuth/callback
4. Initiate login URI (enables the dashboard card):
https://auth.spark.work/api/OktaAuth/initiate
5. Grant type: Authorization Code (PKCE enabled). Scopes: openid profile email .
6. Login flow: Redirect to app to initiate login (OIDC Compliant).
7. Assignments: assign the users/groups who should access Spark.
Mode ON, sign-in still works but no card is shown.
8. Copy the app's Client ID and Client secret.
A1. Create the OIDC app in Okta
If you are installing Spark from the Okta Integration Network catalog, the app is created automatically. In this case, skip these steps and proceed directly to A2.
If you are setting up a custom OIDC app:
1. Okta Admin Console → Applications → Create App Integration.
2. Sign-in method: OIDC – OpenID Connect. Application type: Web Application.
3. Sign-in redirect URI:
https://auth.spark.work/api/OktaAuth/callback
4. Initiate login URI (enables the dashboard card):
https://auth.spark.work/api/OktaAuth/initiate
5. Grant type: Authorization Code (PKCE enabled). Scopes: openid profile email .
6. Login flow: Redirect to app to initiate login (OIDC Compliant).
7. Assignments: assign the users/groups who should access Spark.
- For the dashboard card to appear, the app must be assigned to users — so
Mode ON, sign-in still works but no card is shown.
8. Copy the app's Client ID and Client secret.
A2. Enter Spark-side SSO credentials
In Spark, an administrator configures the Okta SSO connection:
1. Go to:
https://{workspace}.spark.work/admin/domain/integrations/authentication .
2. Add a new Okta SSO configuration using the following details:
In Spark, an administrator configures the Okta SSO connection:
1. Go to:
https://{workspace}.spark.work/admin/domain/integrations/authentication .
2. Add a new Okta SSO configuration using the following details:
- Org URL: your Okta org URL, e.g. https://{your-org}.okta.com
Use - Use the org URL, NOT the admin console URL. It must NOT contain -admin (e.g. https://acme.okta.com , never https://acme-admin.okta.com).
- Client ID & Client Secret: Paste the values you copied in Step A1.8
3. Click Save to apply the configuration. Once saved, the SSO connection will be active.
A3. Test sign-in
- From Spark (SP-initiated): open https://{workspace}.spark.work , click
Sign in with Okta.
- From Okta (IdP-initiated): open the Okta End-User Dashboard and click the
Spark card
Both methods authenticate the user in Spark by matching their Okta email address to an existing Spark user account.
Part B — User Provisioning (SCIM 2.0, import)
Okta imports employee profiles (name, email, phone, job title, department, active
status) from Spark. Spark remains the source of truth — Okta does not create or edit
users in Spark.
B1. Generate a SCIM bearer token in Spark
Okta imports employee profiles (name, email, phone, job title, department, active
status) from Spark. Spark remains the source of truth — Okta does not create or edit
users in Spark.
B1. Generate a SCIM bearer token in Spark
- In Spark, go to https://{workspace}.spark.work/my-settings/integrations/okta-
scim - Click Generate / Mint token. Copy the token — it is shown once.
- You can revoke or rotate this token at any time from the same page.
B2. Configure provisioning in Okta
1, Navigate to your Spark app in Okta: Provisioning → Integration.- (If using the OIN catalog, these fields are available under the "Provisioning" tab.
- SCIM connector base URL:
- Unique identifier field for users: userName (email).
- Authentication Mode: HTTP Header / Bearer Token. Paste the token from B1
(Okta sends it as Authorization: Bearer {token} ).
- Provisioning Actions: Enable Import Users (and Import User Schema).
- Spark supports read/import only. Push actions (create/update/deactivate) are not supported because Spark acts as the source of truth.
- Click Test Connector Configuration to verify that the connection is successful.
B3. Import & lifecycle
Since Spark acts as the "source of truth," use these steps to keep your user list in Okta up-to-date and automate employee terminations.
Initial Synchronization
3. Configure Deactivation: In the Profile & Lifecycle Sourcing settings, set "When a user is deactivated in the app" to Deactivate.
Result: Once configured, if an employee is deactivated in Spark, the next import will automatically update their status in Okta to active=false, ensuring access is revoked in real-time.
Since Spark acts as the "source of truth," use these steps to keep your user list in Okta up-to-date and automate employee terminations.
Initial Synchronization
- Run Import: Go to Provisioning → Import and click Import Now (or set up a recurring schedule).
- Mapping: Review and confirm the mapping of imported users to their corresponding Okta accounts.
3. Configure Deactivation: In the Profile & Lifecycle Sourcing settings, set "When a user is deactivated in the app" to Deactivate.
Result: Once configured, if an employee is deactivated in Spark, the next import will automatically update their status in Okta to active=false, ensuring access is revoked in real-time.
Notes & Troubleshooting
If you encounter any issues during the Okta integration, refer to the table below for common symptoms and their resolutions:
