Advanced team auth

Setting up SSO, enabling JIT provisioning, and viewing audit logs

🚀

Advanced team auth features like SSO are only available on the Grow and Scale plans. Want to learn more? Reach out to sales@getstark.co to get started!

Navigate to the Team Auth page from the navigation menu to utilize the advanced team features Stark has available.

Setting up your SSO connection

💻

Make setup even easier by inviting your IT Admin on the Manage Team page. Their access will be limited to setting up your team (connecting SSO, enabling integrations, etc.) and they don't count towards your editor or viewer seats.

Our auth partner, WorkOS, makes setting up SSO a breeze. Simply click the Set up connection button and follow the steps to get everything wired up.

After you've created the SSO application on your side, you're free to designate who should have access (for example: only designers or only employees in a certain group). Typically, the person setting up SSO will know who needs access.

With SSO setup, you can jump right into inviting members. Users must be invited before signing in using SSO, but if you'd like to expedite that process, read below on enabling JIT provisioning.

Enabling JIT provisioning

Flipping the switch for JIT provisioning will make it so that first-time users signing in with your SSO connection will automatically have an account created. If you'd like to limit this feature to certain SSO groups:

Type the names of the groups you want to allow into the Groups textbox
Click Save SSO Groups

Configuring SCIM

System for Cross-domain Identity Management (SCIM) allows you to automatically provision, update, and de-provision users in Stark directly from your Identity Provider (IdP). This guide will walk you through the steps to get SCIM up and running.

Prerequisites

Before you can configure SCIM, you must have Single Sign-On (SSO) successfully set up and active for your team.

💻

Check status: Navigate to Team Auth in your settings. You should see your Identity Provider (e.g., Okta) listed as Active.

Step 1: Configure Your Directory

Once SSO is active, you need to link your directory to Stark. This process involves a configuration wizard powered by WorkOS.

Navigate to the Team Auth section in your sidebar.
Scroll down to the SCIM section.
Click the Configure directory button.
Follow the on-screen instructions in the setup wizard. You will need to copy specific API credentials and Endpoint URLs from the wizard and paste them into your Identity Provider’s SCIM configuration settings.

Step 2: Grant Access to Groups

After the directory is successfully linked, you must explicitly define which groups from your IdP are allowed to access Stark.

Return to the Team Auth page. You should now see your Identity Provider listed under SCIM with a Linked status.
Click the Add group button.
A modal will appear labeled Add Group. Select the desired group from the dropdown menu (e.g., "Engineers" or "Stark Users").
Click Add Group to confirm.

Users within these groups will now be automatically provisioned with access to your Stark workspace.

Managing Provisioned Groups

You can view and manage active groups at any time from the Team Auth dashboard.

View Groups: All synchronized groups are listed at the bottom of the SCIM section.
Revoke Access: To stop provisioning users from a specific group, click the Delete button next to the group name. This will remove access for users who were part of that specific group.

💻

If you are using Just-In-Time (JIT) Provisioning alongside SCIM, ensure your group settings in the JIT section do not conflict with your SCIM directory groups.

Accessing audit logs

Need to see who's logged in, changed roles and more? Click the View Logs button to access the audit logs through our auth partner, WorkOS.

Want to run through your setup with us? Not a problem! Reach out to support@getstark.co if you find yourself stuck or with questions.

Go back to articles