User provisioning & deprovisioning

Super Admins of Enterprise Organizations can quickly and easily provision and deprovision users in Asana from their identity management provider. Your Workspace’s API endpoint can also be used to configure with SCIM. SCIM provisioning allows Super Admins to:

  • Create a new user
  • Update a user's profile attributes (Okta and Azure AD only)
  • Import Asana users into their identity management provider
  • Import Asana Teams into their identity management provider (Okta only)
  • Create Teams in Asana from their identity management provider (Okta and Azure AD only)
  • Deactivate a user

The following provisioning features are not supported by Asana:

  • Reactivating users
  • Deleting teams in Asana

Set up provisioning

To use SCIM provisioning, you will need to connect your Organization's Asana account with one of our supported identity providers. Setup will vary according to the identity provider you use. Asana supports SCIM provisioning via:

Okta

Features

Super Admins of enterprise organizations can quickly and easily provision and deprovision users in Asana from Okta. The integration between Asana and Okta relies on an industry-standard protocol called SCIM that allows Super Admins to:

  • Create users: Okta users assigned to the Asana application in Okta are automatically added as members to your organization in Asana.

  • Create users: Okta users assigned to the Asana application in Okta are automatically added as members to your organization in Asana.

  • Update user’s profile attributes: Attributes such as role and department for a user’s profile can be synced from the user’s Okta profile to Asana.

  • Import users: Users created in Asana can be imported in Okta either matched against existing Okta users or created as new Okta users.

  • Import groups: Teams created in Asana can be imported as groups in Okta. Take into account Okta does not allow you to manage memberships of these imported groups.

  • Push groups: Groups and their members in Okta can be pushed to Asana (as Asana teams and team members).

  • Link groups: Existing teams in Asana can be linked to groups in Okta after importing the teams from Asana.

  • Deactivate users: Users can be deactivated in Asana if they are no longer assigned to the app in Okta.

    The following provisioning features are not supported at the moment:

  • Reactivating users

  • Deleting teams in Asana

Requirements

Please ensure that you meet the following requirements before turning on SCIM for your organization.

  1. You’re a Super Admin for an organization in Asana that’s on the Enterprise tier.
  2. You have the correct Okta plan for provisioning users via SCIM. Please see Okta’s Lifecycle management offerings for more information.

If you meet these requirements, use the following steps to enable SCIM for your organization.

Steps

Step 1: Add Asana’s Okta integration app to your Okta account

asana okta integration

Login to Okta and add Asana’s Okta integration:

  1. Click on Applications on the sidebar
  2. Click on Browse App Catalog

asana okta integration2

To add Asana:

  1. Click on Collaboration and Productivity
  2. Click on Asana

add asana

Step 2: Connect your organization’s Asana account to your Okta account

To use SCIM provisioning, you will need to connect your organization’s Asana account with your Okta account.

Complete the following steps in Asana

org settings

Login to a Super Admin account on Asana, and navigate to the Admin Console menu by clicking on your profile picture in the top right, and clicking on Admin Console.

apps tab

Navigate to the Apps tab.

add service account

Click Add service account.

add service token

Adding a Service Account will generate an API key, that you can use in the Provisioning tab in the Asana app within Okta.

Complete the following steps in Okta

Login to your Okta admin portal and under the Applications tab, navigate to the Asana application.

okta admin portal

To connect Asana to your Okta account:

  1. Click on Provisioning
  2. Under the Settings sidebar click on Integration and click on Configure API Integration
  3. Check the Enable API integration box
  4. In the API Token field, enter the token you received in your Service Accounts tab in Asana.
  5. Click on Test API Credentials to verify the token is set up correctly
  6. Click Save to save your configuration in Okta

Step 3: Set up provisioning options for Asana in your Okta account

In Okta

Under the applications tab, navigate to the Asana app and click on Provisioning.

okta provisioning options

To set up provisioning options:

  1. Under the Settings sidebar click on To App
  2. Click on Edit at the top right
  3. Enable user provisioning options for the Asana app and click Save to apply integration settings

We recommend you enable Create Users, Update User attributes, and Deactivate users.

import tab

Use the Import tab to reconcile the users detected in Asana with the users you have in your Okta domain. Import any Asana users that you’d like to create or assign Okta accounts for.

assignments tab

Administer the users assigned to Asana as you would with SAML using the Assignments tab. Users will now be automatically kept in sync with the Asana members list.

Step 4: Map provisioned users into teams in Asana

To map Okta groups to Asana teams, you can decide to push new groups into Asana or link groups in Okta to existing teams in Asana. If you’re linking groups, please ensure that the teams you’d like to map them to are already set up inside Asana. Find out more about how to create a team in Asana in the Guide article here.

In the Okta admin portal:

  • Go to the Asana app and click on Refresh App Groups to update any imports or changes that occurred in Asana. This ensures that all groups from the target app are represented in Okta.
  • Click the Action button (Group Push Settings)wheel

push groups

  1. Click on Push Groups
  2. Select By name and use a keyword to find the group in Okta
  3. When the group appears in the table, click the Match results and push action drop-down menu. Choose Link Group if you’re trying to map a group to an existing team. Otherwise, select Create group. Click Save to apply integration settings.

Please note that deletion of teams in Asana from Okta isn’t supported by this integration

Please use the Teams tab in the Admin Console in Asana to manage and delete teams.

Step 5: Configure attribute mappings for Asana

To configure and map attributes to user profiles in Asana, please follow the following steps.

  • Go to the Asana app and click on the Provisioning tab.
  • Configure the right options under the Asana Attribute Mappings section.
  • Select Create or Create and Update from the choices under the Apply on column.
Attribute Type Info Notes on limitations
userName string Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non - empty userName value, and it must be an email address. REQUIRED.
name complex The user’s name
name.given string Unsupported, use formatted
name.familyName string Unsupported, use formatted
name.formatted string The full name of the user
emails complex Email addresses for the user
emails.value string Email address for the user
email.primary string Whether this email address is the preferred email address for this user. True may only appear once for this attribute.
title string The user's title, such as "Vice President".
department string Identifies the name of the department that the user belongs to.
preferredLanguage string Indicates the User's preferred written or spoken language. Used for selecting a localized user interface; e.g., 'en_US' specifies the language English and country US. “Preferred language” can only be set for a user when the user is being created in Asana. Updates to the preferredLanguage field in Okta for existing Asana users don’t get reflected inside Asana.
Active boolean Indicate whether the user’s account is active in Asana.

Step 6: How to update your current Asana - Okta integration

If you’re currently using the Asana - Okta integration, please use the following steps in order to enable/access the latest updates.

update integration

  1. Click on Provisioning
  2. On the left sidebar, click on Integration
  3. Click Edit
  4. Uncheck the Enable API integration and click Save.

Then, click on Edit again, check Enable API integration, enter the API token and click Save. Then, enable provisioning features. After this, you’ll see new attribute updates and integration capabilities reflected in the integration.

Assigning the Asana app to users in Okta will create that user profile within Asana, and trigger the same behavior as if they had been invited to Asana. It's important to note this when informing users that they have been assigned the Asana app.

When creating or updating users, the users must have email addresses that correspond with the Asana Organization. Organization Guests will continue to be provisioned and deprovisioned, and managed within the Asana members tab only.

OneLogin

Learn how to configure SCIM provisioning using OneLogin here.

To enable SCIM functionality with non-natively integrated IdPs please check the necessary accepted attributes here.

Sorry, we don't support this browser

Asana doesn't work with the internet browser you are currently using. Please sign up using one of these supported browsers instead.

Choose your language

Selecting a language changes the language and/or content on asana.com