Does Okta have native backup?

No. Okta operates under a shared responsibility model and does not provide built-in backup or restore capabilities. You are responsible for your own disaster recovery.

What Okta resources can Butterfly Security backup?

Butterfly Security supports 80+ resource types including users, groups, applications, policies, authorization servers, Workflows (flows, tables, connectors), brands, and more.

Can I backup Okta Workflows?

Yes. Butterfly Security provides complete Workflows backup including flow definitions, folder structure, table data (CSV export), and custom connectors from Connector Builder.

How long does an Okta backup take?

Backup time depends on org size and provider rate limits. Small orgs (under 1,000 users): 2-5 minutes. Medium orgs (1K-10K users): 10-20 minutes. Large orgs (10K-50K users): 20-45 minutes. Enterprise (50K+ users): 45 minutes to 2+ hours. Nested resources and API rate limits add natural pacing.

Is Butterfly Security secure?

Yes. All backups are encrypted at rest with AES-256, stored in isolated per-account storage, with credentials encrypted separately. We use SOC 2 compliant infrastructure.

Can I export Okta configuration to Terraform?

Yes. Butterfly Security can generate Terraform HCL from your backups, enabling Infrastructure as Code workflows and version-controlled Okta configuration management.

What is a dry-run restore?

Dry-run restore generates a preview showing exactly what would be created, updated, or skipped before making any changes. This ensures safe, predictable restores with no surprises.

Can I restore to a different Okta org?

Yes. Backups use name-based matching so they are portable across orgs. This enables sandbox sync, environment replication, and disaster recovery to alternate orgs.

SSO & SCIM Configuration Guide

Install the Butterfly Security app from the Okta Integration Network and configure Single Sign-On and SCIM 2.0 provisioning for your team.

SSO (OIDC)SCIM 2.0EntitlementsUniversal LogoutAll Plans

Overview

The Butterfly Security app is available in the Okta Integration Network (OIN) and provides both Single Sign-On (OIDC) and SCIM 2.0 provisioning in a single integration. Once installed, your team members can sign in to Butterfly Security through Okta — no separate passwords needed — and user accounts are automatically created, updated, and deactivated as your Okta directory changes.

SSO and SCIM are included on all plans. This integration has its own Client ID and Client Secret, separate from the API Service Integration used for backup and recovery. The SSO/SCIM app handles authentication and provisioning, while the API Service Integration handles backup API access.

What You Get

Single Sign-On (OIDC)

Team members sign in through Okta using their existing credentials. No separate Butterfly Security password required.

Automated Provisioning (SCIM)

Create, update, and deactivate users automatically in Butterfly Security when your Okta directory changes.

Role-Based Entitlements

Five built-in roles exposed as SCIM entitlements. Assign roles via the SCIM roles attribute for automated access control.

Universal Logout (CAEP)

Back-channel logout support ensures sessions are revoked immediately when an admin removes access in Okta.

Prerequisites

Okta Requirements

Okta Super Administrator or Application Administrator role
Permissions to install OIN integrations

Butterfly Security Requirements

An active Butterfly Security account (any plan)
Team Super Admin role (required to configure SSO/SCIM)

Part 1: Install the Butterfly Security App

OIN

Add Butterfly Security from the OIN

Sign in to your Okta Admin Console.
Navigate to Applications → Applications.
Click Browse App Catalog.
Search for Butterfly Security.
Click Add Integration.
On the General Settings page, review the defaults and click Done.

Copy the Client ID and Client Secret

Open the Butterfly Security app and go to the Sign On tab.
Under Sign on methods, you will see OpenID Connect.
Copy the following values:
Client ID: 0oa...
Client Secret: Click the copy icon to reveal

Separate from API credentials: This SSO/SCIM integration uses its own Client ID and Client Secret, different from the API Service Integration. You will find these values in the Okta Admin Console under the SSO/SCIM app's Sign On tab.

Part 2: Configure Single Sign-On

OIDC

Configure SSO in Butterfly Security

Sign in to Butterfly Security at butterflysecurity.org.
Navigate to Dashboard → Settings → SSO & SCIM.
Enter the Issuer URL for your Okta authorization server:
Issuer URL: https://your-org.okta.com
Find this under Security → API → Authorization Servers in the Okta Admin Console.
Enter the Client ID and Client Secret from Part 1.
In the Email Domains field, enter the email domain(s) for your organization:
Email Domains: yourcompany.com, subsidiary.com
Comma-separated. Users with these email domains will be automatically redirected to SSO at login.
Click Enable SSO.

Test SSO Login

Open an incognito/private browser window.
Go to butterflysecurity.org/login.
Enter an email address with one of your configured domains.
You should be redirected to your Okta sign-in page.
Sign in with your Okta credentials.
You should land on the Butterfly Security dashboard.

First-time users: Users who sign in via SSO for the first time are automatically added to your team with the read_only role. You can change their role in team settings or automate it with SCIM entitlements.

Supported SSO Features

SP-initiated SSO — Users can start the sign-in flow from the Butterfly Security login page

IdP-initiated SSO — Users can launch Butterfly Security from the Okta dashboard

Just-in-Time (JIT) provisioning — User accounts are automatically created on first SSO login

Universal Logout (CAEP) — Back-channel logout revokes sessions when access is removed in Okta

SP-Initiated SSO

SP-initiated SSO allows users to start the sign-in flow from the Butterfly Security login page rather than from Okta.

Navigate to butterflysecurity.org/login.
Enter your email address (e.g., user@yourcompany.com).
Butterfly Security detects that your email domain is configured for SSO and redirects you to your Okta sign-in page.
Authenticate with your Okta credentials (password, MFA, etc.).
After successful authentication, you are redirected back to the Butterfly Security dashboard.

How domain detection works: When SSO is configured, the admin specifies one or more email domains (e.g., yourcompany.com). Any user who enters an email with a matching domain at the Butterfly login page is automatically redirected to the configured Okta authorization server for authentication.

Supported SCIM Features

Create Users — Provision new users in Butterfly when assigned in Okta

Update User Attributes — Sync profile changes from Okta to Butterfly

Deactivate Users — Deactivate users in Butterfly when unassigned in Okta

Not supported: Import New Users, Import Profile Updates, Group Push, and Sync Password are not supported. Butterfly Security is not a profile source — user profiles are always sourced from Okta and pushed to Butterfly. Role assignment is handled via SCIM entitlements (the roles attribute) rather than group push.

Part 3: Configure SCIM Provisioning

SCIM 2.0

Generate a SCIM Bearer Token

Before enabling provisioning in Okta, you need to generate a bearer token in Butterfly Security.

In Butterfly Security, navigate to Dashboard → Settings → SSO & SCIM.
Scroll to the SCIM 2.0 Provisioning section.
Click Generate SCIM Token.
Copy the raw token immediately. It is only displayed once and cannot be retrieved later. When pasting into Okta, enter the raw token only — Okta automatically prepends the "Bearer" prefix to the authorization header.
Token format: bfs_scim_xxxxxxxxxxxxxxxxxxxxxxxx

Important: The SCIM bearer token is shown only once. If you lose it, you must click Rotate Token to generate a new one, then update the token in Okta.

Enable Provisioning in Okta

In the Okta Admin Console, open the Butterfly Security app.
Go to the Provisioning tab.
Click Configure API Integration.
Check Enable API Integration.
In the API Token field, paste the token you generated in Step 1.
Click Test API Credentials to verify connectivity.
Click Save.

Enable Provisioning Features

On the Provisioning tab, click To App in the left sidebar.
Click Edit.
Enable the following supported operations:
Create Users — New Okta users assigned to the app are provisioned in Butterfly
Update User Attributes — Profile changes in Okta sync to Butterfly
Deactivate Users — Removing app assignment deactivates the user in Butterfly
Not supported: Import New Users and Import Profile Updates are not supported. Butterfly Security does not act as a profile source — user profiles are always sourced from Okta and pushed to Butterfly, not the other way around.
Click Save.

Assign Users

Go to the Assignments tab in the Butterfly Security app in Okta.
Click Assign → Assign to People or Assign to Groups.
Select the users or groups you want to provision in Butterfly Security.
Click Save and Go Back and then Done.

userName format: Butterfly Security requires the userName attribute to be a valid email address (e.g., user@example.com). Ensure that Okta's userName value for the app matches the user's primary email address.

Role Permissions Matrix

Each role controls what a team member can do in the Butterfly Security dashboard. Roles are assigned via SCIM entitlements, entitlement governance, or manually in team settings.

Permission

Super Admin

Admin

Backup Op

Auditor

Read Only

Team

Manage team settings

Manage billing

Configure SSO/SCIM

View team members

Connections

Create & manage connections

Test connections

View connections

Backups

Run backups

View backup list

View backup contents

Download backups

Delete backups

Restore

Restore from backup

Compliance

View compliance reports

Export reports

Settings

Edit backup schedules

Manage integrations (Git, Terraform)

super_admin

Full access including team management, billing, and SSO/SCIM configuration.

admin

Manage connections, run backups, restore, and view compliance reports.

backup_operator

Run backups, test connections, edit schedules, and view reports.

auditor

Read-only access to backups, compliance, and reports. Cannot modify.

read_only

View connections and backup list only. Cannot view backup contents.

SCIM Attribute Mapping

The following attributes are mapped from Okta to Butterfly Security user profiles.

SCIM Attribute

Butterfly Field

Required

Notes

userName

Email address

Yes

Must be a valid email address (e.g., user@example.com). Used as the unique login identifier. Okta's userName value must match the user's primary email.

name.givenName

First name

Maps to the user's first name in their Butterfly Security profile.

name.familyName

Last name

Maps to the user's last name in their Butterfly Security profile.

Custom role assignment: To assign roles during provisioning, use the Butterfly extension schema in your SCIM payloads:

"urn:ietf:params:scim:schemas:extension:butterfly:2.0:User": {

"butterflyRole": "admin"

}

Troubleshooting

SSO redirect fails or returns an error

•Verify the Issuer URL is correct and points to a valid OIDC authorization server (e.g., https://your-org.okta.com).
•Confirm the Client ID and Client Secret match the values from the Sign On tab in Okta.
•Ensure the email domain(s) configured in Butterfly match the user's email address domain.
•Check that the user is assigned to the Butterfly Security app in Okta (Assignments tab).

SCIM provisioning fails or users are not created

•Verify the SCIM Bearer Token has not been revoked. Click Rotate Token if needed.
•Confirm the SCIM Base URL is exactly: https://butterflysecurity.org/api/scim/v2
•Check that the Authentication Mode in Okta is set to HTTP Header (not Basic Auth).
•Use the Okta provisioning logs (Provisioning tab → View Logs) to see detailed error messages.

Users are provisioned but assigned the wrong role

•Verify the SCIM roles attribute is set correctly. The value must be one of: super_admin, admin, backup_operator, auditor, read_only.
•Newly provisioned users default to read_only if no role is specified in the SCIM payload.
•Check the user's profile in Butterfly Security Settings → Team Members to verify the assigned role.

Back-channel logout is not revoking sessions

•Verify the Logout section on the Sign On tab shows 'Okta system or admin initiates logout'.
•The Back-channel Logout URI should be: https://butterflysecurity.org/api/logout/global
•Check that the logout token issuer matches the SSO Issuer URL configured in Butterfly.

Support

If you experience issues configuring SSO or SCIM provisioning, contact our support team.

Email: support@butterflysecurity.org

Available Monday–Friday, 9am–6pm ET. Response within 1 business day.

Contact Support API Service Integration Guide Full Documentation