1. Help Center
  2. ++ SSO and User Provisioning

User Provisioning with Okta

Add users in SRXP from your Okta Application

API integration

In the SRXP App within Okta, you should go to the Provisioning section.

Then, on the left, click on API integration .

You can edit the Base URL and enter the username and password of your existing user in SRXP.

For the Base URL, use the following link and <companyID> with your SRXP company ID.

If the password if updated in SRXP, it must be updated in Okta too.



Save before Testing the API Crendentials the connection. Okta will redirect you to the settings without saving the information.

The user used most have administrator right to import users.

To App

In the provisioning panel, you will be redirected to the section To App. Here, you can manage the provisioning from Okta to SRXP.

You can manage the following options:

  • Creating users
  • Update users
  • Deactivate users
  • Sync password

Enable all the fields.

When SSO is used. You must select the option of ‘Sync a randomly generated password’.

When a new Account is synced from Okta to SRXP a random password will be set to make sure the user is not able to login through our system, but only through Okta. Also note that if any of your users try to use the ‘forgot password’ option to set a new password, they will be sent to Okta login page.

Map Attributes

In the bottom of the provisioning tab, you can set defaults for certain attributes for SRXP or change the standard mapping. You could here for example default the job title or establishment of new users. For detailed info about the mapping in place see “tab people”.


You can import all your users from SRXP (if you already have existing users in SRXP, they will be matched on their account email to their Okta user). If you don’t have existing users in SRXP, you can skip this step.


You can either assign people directly to SRXP or skip this step and only assign a Group.

Assigning people:

Okta fields

Will be used in SRXP as




If not entered, we will default it to the first establishment we find in SRXP


Job Title

If not entered, we will default it to the first job title we find in SRXP


Rights in SRXP

If no role is entered, we will default to “is_reporter”, so the person gets only submitter rights





Free Field 1



Free Field 2



Free Field 3



Assigned Approver

If no approver email is entered, the approval policy will be “choose approver” without a default approver

Roles in SRXP


There are 5 different rights in SRXP. Those can be set in Okta in the field roles. The 4 roles are:

  • Is_reporter (allowed to create expenses)
  • Is_approver (allowed to approve reports)
  • Is_exporter (allowed to export reports)
  • Is_admin (allowed to create/modify/delete master data)
  • Is_requester (allowed to request trips - note this is a separate feature, you need to consult your SRXP account manager for more information)

If no role is specified, we default to is_reporter, as a role is mandatory in SRXP. This can also be defaulted for an Okta group or in the profile editor of the application, so it doesn’t need to be adjusted for every user.


You can also assign groups to SRXP. After filling the defaults that should be used, users will be created in SRXP as soon as the user gets assigned to the group in Okta.

Create missing resources

If a userType or a division that’s set in Okta does not yet exist in SRXP, we will by default create the resource (this might change if we get a setting for it, we’d need one on application level named: 'missing_resources': 'urn:ietf:params:scim:schemas:extension:srxp:2.0:CreateMissingResources', as a boolean true/false or X/empty)