{"slug":"user-group-provisioning-for-okta","title":"User & group provisioning for Okta","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# User & group provisioning for Okta\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nThis featureis available for [the Standard, Premium, and Enterprise plans](https://tailscale.com/pricing).\r\n\r\nTailscale supports System for Cross-domain Identity Management (SCIM) to integrate with Okta.\r\n\r\n## [Features](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#features)\r\n\r\nThe following provisioning features are supported:\r\n\r\n- **Create users** in Tailscale from Okta\r\n- **Update user attributes** in Tailscale from Okta\r\n- **Deactivate users** in Okta to suspend them in Tailscale\r\n- **Group push** from Okta to Tailscale\r\n\r\n## [Requirements](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#requirements)\r\n\r\n- Install the Tailscale app from the\r\n[Okta Integration Network](https://www.okta.com/integrations/tailscale) and [configure it](https://tailscale.com/docs/integrations/identity/okta) to activate Okta for your domain.\r\n\r\nIf you're using Tailscale through a [custom app integration](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard.htm)\r\nyou'll need to replace that configuration with the Tailscale app and configuration.\r\n\r\n- You must use **Email** as the **Application username format**, and each Okta user's primary email must be identical to their application username. Failure to do so will result in errors.\r\n\r\n\r\n## [Step-by-Step Configuration Instructions](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#step-by-step-configuration-instructions)\r\n\r\nUse the following steps to enable provisioning in Tailscale.\r\n\r\n### [Enable Provisioning](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#enable-provisioning)\r\n\r\n#### [In Tailscale](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-tailscale)\r\n\r\n**Generate a SCIM API key**\r\n\r\n1. In the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, under **SCIM Provisioning**, select **Enable Provisioning**.\r\n![Enable Provisioning for Okta](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgenerate-api-key.dceb5216.png&w=3840&q=75)\r\n2. Copy the generated key to the clipboard.\r\n![Generate SCIM API key](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcopy-generated-api-key.2415fb16.png&w=1080&q=75)\r\n\r\n#### [In Okta](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-okta)\r\n\r\n**Copy the key into the Tailscale app**\r\n\r\n1. (Optional) On the **Sign On** tab, in **Advanced Sign-on Settings** select the Tailscale instance to connect to. For most users, leave the default option **Tailscale** selected. If you need to connect to the US high compliance server, select **Tailscale (US high compliance) – must be allowlisted** and fill out the [Identity provider configuration or change](https://tailscale.com/contact/support?type=sso) section of the support form.\r\n![Select Tailscale instance](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fselect-tailscale-instance.d90f67ff.png&w=1920&q=75)\r\n2. On the **Provisioning** tab, select **Integration**, then select **Configure API Integration**.\r\n![Configure SCIM API Integration in Okta Admin UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-api-integration.5ab35d4e.png&w=3840&q=75)\r\n3. Select **Enable API integration**. Paste the generated key into the API Token field. Note that Tailscale-generated SCIM API keys are case-sensitive.\r\n![Enable SCIM API Integration with Tailscale SCIM API Key](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-api-integration.082a8196.png&w=3840&q=75)\r\n4. If there is an **Import Groups** checkbox, uncheck it.\r\n\r\n5. Select **Test API Credentials** to verify the SCIM connection, and then select **Save**.\r\n\r\n\r\n### [Enable User Sync](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#enable-user-sync)\r\n\r\n1. In Okta, under **Sign On** \\> **Credential Details**, select **Email** as the **Application username format**.\r\n![Select Email as the Application username format in Okta Admin UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Femail-username-format.fb7869bf.png&w=3840&q=75)\r\n2. Under **Provisioning** \\> **Settings** \\> **To App**, select to enable **Create Users**, **Update User Attributes**,\r\nand **Deactivate Users**, and then select **Save**.\r\n![Enable User Sync features in Okta Admin UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-user-sync.78b16cfe.png&w=3840&q=75)\r\n3. Under **Assignments**, select **Provision User** to ensure that all users previously assigned to the application\r\nare provisioned in Tailscale.\r\n![Provision Users in Tailscale](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fprovision-users.bf705376.png&w=1920&q=75)\r\n\r\n### [Enable Group Sync](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#enable-group-sync)\r\n\r\nWith group sync, you can refer to a group from Okta in your tailnet policy file, with a human-readable name. For example:\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:groupname@example.com\"],\\\r\n      \"dst\": [\"*:*\"]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:all employees@example.com\"],\\\r\n      \"dst\": [\"autogroup:self:*\"]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:engineering@example.com\"],\\\r\n      \"dst\": [\"tag:logging:*\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nGroups synced from Okta do not replace groups in Tailscale. You can use Okta group sync and also\r\ndefine groups in the tailnet policy file.\r\n\r\n#### [In Okta](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-okta-1)\r\n\r\n1. Under **Applications**, select the Tailscale app.\r\n\r\n2. Under **Push Groups**, expand the **Push Groups** button, and select the group to push to Tailscale.\r\n![Enable Group Sync in Okta Admin UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-group-sync.e2654a1e.png&w=3840&q=75)\r\n3. Select **Save**, or select **Save & Add Another** if you want to push another group.\r\n\r\n\r\nIn practice, changes to groups in Okta tend to be reflected to Tailscale in seconds, but that is not a guarantee.\r\n\r\n#### [In Tailscale](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-tailscale-1)\r\n\r\nIn the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console, under **Group Sync** you\r\nshould find the groups that you pushed from Okta.\r\n\r\n![Sync groups in Tailscale Access Controls UI](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fsync-groups.54e8bd2a.png&w=3840&q=75)\r\n\r\nTo use a pushed group in an [access rule](https://tailscale.com/docs/features/access-control), either select **Copy** and paste it into a rule, or type it in:\r\n\r\n```json\r\n\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:engineering@example.com\"],\\\r\n    \"dst\": [\"tag:logging\"],\\\r\n    \"ip\": [\"*\"]\\\r\n  }\\\r\n]\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nSynced group names are treated as lowercase. They can include spaces, but not the `@` symbol.\r\n\r\n#### [Updating Okta Group Names](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#updating-okta-group-names)\r\n\r\nIf you change the name of your group in Okta, the Tailscale access control policy for that group will no longer apply. The access control policy is dependent on the name\r\nyou configured in Okta, not on a group reference. Tailscale will fail closed, and you will find an error message in the\r\nadmin console.\r\n\r\n![Error message in UI for group not syncing](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroup-not-syncing-message.863fb23c.png&w=3840&q=75)\r\n\r\nIf you modified the name of the group, update the group in the [access control policy](https://tailscale.com/docs/features/access-control) to the new group name. You can also revert the\r\nname change in Okta if this was unintentional.\r\n\r\n### [Disabling Group Sync](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#disabling-group-sync)\r\n\r\n#### [In Okta](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-okta-2)\r\n\r\n1. Under **Applications**, select the Tailscale app.\r\n\r\n2. Under **Push Groups**, expand the **Push Groups** button, deselect the groups you no longer want to push to\r\nTailscale, and select **Save**.\r\n\r\n\r\n#### [In Tailscale](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#in-tailscale-2)\r\n\r\n1. In the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, under **SCIM Provisioning**, select **Disable provisioning**, and then select **Disable provisioning** to confirm.\r\n\r\n2. In the [Access controls](https://login.tailscale.com/admin/acls) page of the admin console, update your rules to no\r\nlonger reference any group which is no longer pushed.\r\n\r\n3. If you no longer want to keep the SCIM API key that you used for Okta, [revoke the key](https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key).\r\n\r\n\r\n### [Known Limitations](https://tailscale.com/docs/integrations/identity/okta/okta-scim\\#known-limitations)\r\n\r\n- If you configured Okta as your identity provider for Tailscale prior to November 2021, you will need to reconfigure your identity provider. To use user & group provisioning, use the new Tailscale app in Okta.\r\n- You must use **Email** as the **Application username format** for Tailscale in Okta.\r\n- Tailscale groups are parsed lowercased in the tailnet policy file, so any casing in Okta is ignored.\r\n- Groups from Okta cannot contain the `@` symbol.\r\n- If the name of your group changes, the access control policy for that group will no longer apply and Tailscale will fail closed. Refer to\r\n[Updating Okta Group Names](https://tailscale.com/docs/integrations/identity/okta/okta-scim#updating-okta-group-names) for recommended actions.\r\n- Users [suspended in Okta](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-suspend.htm) are not synced to Tailscale. Only users [deactivated](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-deactivate-user-account.htm) or [unassigned from the Tailscale app](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-unassign-apps.htm) in Okta are [suspended in Tailscale](https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users).\r\n  - A user suspended in Okta will remain logged into Tailscale, and maintain access to all of their nodes and permissions granted by access control policies. They will only lose access as their device keys expire and they are blocked from re-authenticating new sessions with Okta.\r\n- Groups [unlinked in Okta that are retained in Tailscale](https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-group-push-operations.htm), as well as those [deactivated from group push](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm) are not synced to Tailscale.\r\n- You cannot use group sync to assign Tailscale admins or other [user roles](https://tailscale.com/docs/reference/user-roles), only manage\r\npermissions in access control policies.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>User &#x26; group provisioning for Okta</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>This featureis available for <a href=\"https://tailscale.com/pricing\">the Standard, Premium, and Enterprise plans</a>.</p>\n<p>Tailscale supports System for Cross-domain Identity Management (SCIM) to integrate with Okta.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#features\">Features</a></h2>\n<p>The following provisioning features are supported:</p>\n<ul>\n<li><strong>Create users</strong> in Tailscale from Okta</li>\n<li><strong>Update user attributes</strong> in Tailscale from Okta</li>\n<li><strong>Deactivate users</strong> in Okta to suspend them in Tailscale</li>\n<li><strong>Group push</strong> from Okta to Tailscale</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#requirements\">Requirements</a></h2>\n<ul>\n<li>Install the Tailscale app from the\r\n<a href=\"https://www.okta.com/integrations/tailscale\">Okta Integration Network</a> and <a href=\"https://tailscale.com/docs/integrations/identity/okta\">configure it</a> to activate Okta for your domain.</li>\n</ul>\n<p>If you're using Tailscale through a <a href=\"https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard.htm\">custom app integration</a>\r\nyou'll need to replace that configuration with the Tailscale app and configuration.</p>\n<ul>\n<li>You must use <strong>Email</strong> as the <strong>Application username format</strong>, and each Okta user's primary email must be identical to their application username. Failure to do so will result in errors.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#step-by-step-configuration-instructions\">Step-by-Step Configuration Instructions</a></h2>\n<p>Use the following steps to enable provisioning in Tailscale.</p>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#enable-provisioning\">Enable Provisioning</a></h3>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-tailscale\">In Tailscale</a></h4>\n<p><strong>Generate a SCIM API key</strong></p>\n<ol>\n<li>In the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, under <strong>SCIM Provisioning</strong>, select <strong>Enable Provisioning</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgenerate-api-key.dceb5216.png&#x26;w=3840&#x26;q=75\" alt=\"Enable Provisioning for Okta\"></li>\n<li>Copy the generated key to the clipboard.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fcopy-generated-api-key.2415fb16.png&#x26;w=1080&#x26;q=75\" alt=\"Generate SCIM API key\"></li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-okta\">In Okta</a></h4>\n<p><strong>Copy the key into the Tailscale app</strong></p>\n<ol>\n<li>\n<p>(Optional) On the <strong>Sign On</strong> tab, in <strong>Advanced Sign-on Settings</strong> select the Tailscale instance to connect to. For most users, leave the default option <strong>Tailscale</strong> selected. If you need to connect to the US high compliance server, select <strong>Tailscale (US high compliance) – must be allowlisted</strong> and fill out the <a href=\"https://tailscale.com/contact/support?type=sso\">Identity provider configuration or change</a> section of the support form.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fselect-tailscale-instance.d90f67ff.png&#x26;w=1920&#x26;q=75\" alt=\"Select Tailscale instance\"></p>\n</li>\n<li>\n<p>On the <strong>Provisioning</strong> tab, select <strong>Integration</strong>, then select <strong>Configure API Integration</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fconfigure-api-integration.5ab35d4e.png&#x26;w=3840&#x26;q=75\" alt=\"Configure SCIM API Integration in Okta Admin UI\"></p>\n</li>\n<li>\n<p>Select <strong>Enable API integration</strong>. Paste the generated key into the API Token field. Note that Tailscale-generated SCIM API keys are case-sensitive.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-api-integration.082a8196.png&#x26;w=3840&#x26;q=75\" alt=\"Enable SCIM API Integration with Tailscale SCIM API Key\"></p>\n</li>\n<li>\n<p>If there is an <strong>Import Groups</strong> checkbox, uncheck it.</p>\n</li>\n<li>\n<p>Select <strong>Test API Credentials</strong> to verify the SCIM connection, and then select <strong>Save</strong>.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#enable-user-sync\">Enable User Sync</a></h3>\n<ol>\n<li>In Okta, under <strong>Sign On</strong> > <strong>Credential Details</strong>, select <strong>Email</strong> as the <strong>Application username format</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Femail-username-format.fb7869bf.png&#x26;w=3840&#x26;q=75\" alt=\"Select Email as the Application username format in Okta Admin UI\"></li>\n<li>Under <strong>Provisioning</strong> > <strong>Settings</strong> > <strong>To App</strong>, select to enable <strong>Create Users</strong>, <strong>Update User Attributes</strong>,\r\nand <strong>Deactivate Users</strong>, and then select <strong>Save</strong>.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-user-sync.78b16cfe.png&#x26;w=3840&#x26;q=75\" alt=\"Enable User Sync features in Okta Admin UI\"></li>\n<li>Under <strong>Assignments</strong>, select <strong>Provision User</strong> to ensure that all users previously assigned to the application\r\nare provisioned in Tailscale.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fprovision-users.bf705376.png&#x26;w=1920&#x26;q=75\" alt=\"Provision Users in Tailscale\"></li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#enable-group-sync\">Enable Group Sync</a></h3>\n<p>With group sync, you can refer to a group from Okta in your tailnet policy file, with a human-readable name. For example:</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:groupname@example.com\"],\\\r\n      \"dst\": [\"*:*\"]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:all employees@example.com\"],\\\r\n      \"dst\": [\"autogroup:self:*\"]\\\r\n    },\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"group:engineering@example.com\"],\\\r\n      \"dst\": [\"tag:logging:*\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Groups synced from Okta do not replace groups in Tailscale. You can use Okta group sync and also\r\ndefine groups in the tailnet policy file.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-okta-1\">In Okta</a></h4>\n<ol>\n<li>\n<p>Under <strong>Applications</strong>, select the Tailscale app.</p>\n</li>\n<li>\n<p>Under <strong>Push Groups</strong>, expand the <strong>Push Groups</strong> button, and select the group to push to Tailscale.\r\n<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-group-sync.e2654a1e.png&#x26;w=3840&#x26;q=75\" alt=\"Enable Group Sync in Okta Admin UI\"></p>\n</li>\n<li>\n<p>Select <strong>Save</strong>, or select <strong>Save &#x26; Add Another</strong> if you want to push another group.</p>\n</li>\n</ol>\n<p>In practice, changes to groups in Okta tend to be reflected to Tailscale in seconds, but that is not a guarantee.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-tailscale-1\">In Tailscale</a></h4>\n<p>In the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console, under <strong>Group Sync</strong> you\r\nshould find the groups that you pushed from Okta.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fsync-groups.54e8bd2a.png&#x26;w=3840&#x26;q=75\" alt=\"Sync groups in Tailscale Access Controls UI\"></p>\n<p>To use a pushed group in an <a href=\"https://tailscale.com/docs/features/access-control\">access rule</a>, either select <strong>Copy</strong> and paste it into a rule, or type it in:</p>\n<pre><code class=\"language-json\">\"grants\": [\\\r\n  {\\\r\n    \"src\": [\"group:engineering@example.com\"],\\\r\n    \"dst\": [\"tag:logging\"],\\\r\n    \"ip\": [\"*\"]\\\r\n  }\\\r\n]\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Synced group names are treated as lowercase. They can include spaces, but not the <code>@</code> symbol.</p>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#updating-okta-group-names\">Updating Okta Group Names</a></h4>\n<p>If you change the name of your group in Okta, the Tailscale access control policy for that group will no longer apply. The access control policy is dependent on the name\r\nyou configured in Okta, not on a group reference. Tailscale will fail closed, and you will find an error message in the\r\nadmin console.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fgroup-not-syncing-message.863fb23c.png&#x26;w=3840&#x26;q=75\" alt=\"Error message in UI for group not syncing\"></p>\n<p>If you modified the name of the group, update the group in the <a href=\"https://tailscale.com/docs/features/access-control\">access control policy</a> to the new group name. You can also revert the\r\nname change in Okta if this was unintentional.</p>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#disabling-group-sync\">Disabling Group Sync</a></h3>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-okta-2\">In Okta</a></h4>\n<ol>\n<li>\n<p>Under <strong>Applications</strong>, select the Tailscale app.</p>\n</li>\n<li>\n<p>Under <strong>Push Groups</strong>, expand the <strong>Push Groups</strong> button, deselect the groups you no longer want to push to\r\nTailscale, and select <strong>Save</strong>.</p>\n</li>\n</ol>\n<h4><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#in-tailscale-2\">In Tailscale</a></h4>\n<ol>\n<li>\n<p>In the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, under <strong>SCIM Provisioning</strong>, select <strong>Disable provisioning</strong>, and then select <strong>Disable provisioning</strong> to confirm.</p>\n</li>\n<li>\n<p>In the <a href=\"https://login.tailscale.com/admin/acls\">Access controls</a> page of the admin console, update your rules to no\r\nlonger reference any group which is no longer pushed.</p>\n</li>\n<li>\n<p>If you no longer want to keep the SCIM API key that you used for Okta, <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key\">revoke the key</a>.</p>\n</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#known-limitations\">Known Limitations</a></h3>\n<ul>\n<li>If you configured Okta as your identity provider for Tailscale prior to November 2021, you will need to reconfigure your identity provider. To use user &#x26; group provisioning, use the new Tailscale app in Okta.</li>\n<li>You must use <strong>Email</strong> as the <strong>Application username format</strong> for Tailscale in Okta.</li>\n<li>Tailscale groups are parsed lowercased in the tailnet policy file, so any casing in Okta is ignored.</li>\n<li>Groups from Okta cannot contain the <code>@</code> symbol.</li>\n<li>If the name of your group changes, the access control policy for that group will no longer apply and Tailscale will fail closed. Refer to\r\n<a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#updating-okta-group-names\">Updating Okta Group Names</a> for recommended actions.</li>\n<li>Users <a href=\"https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-suspend.htm\">suspended in Okta</a> are not synced to Tailscale. Only users <a href=\"https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-deactivate-user-account.htm\">deactivated</a> or <a href=\"https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-unassign-apps.htm\">unassigned from the Tailscale app</a> in Okta are <a href=\"https://tailscale.com/docs/features/sharing/how-to/remove-team-members#suspending-users\">suspended in Tailscale</a>.\n<ul>\n<li>A user suspended in Okta will remain logged into Tailscale, and maintain access to all of their nodes and permissions granted by access control policies. They will only lose access as their device keys expire and they are blocked from re-authenticating new sessions with Okta.</li>\n</ul>\n</li>\n<li>Groups <a href=\"https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-group-push-operations.htm\">unlinked in Okta that are retained in Tailscale</a>, as well as those <a href=\"https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm\">deactivated from group push</a> are not synced to Tailscale.</li>\n<li>You cannot use group sync to assign Tailscale admins or other <a href=\"https://tailscale.com/docs/reference/user-roles\">user roles</a>, only manage\r\npermissions in access control policies.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}