SCIM provisioning with Okta

Provision users from Okta using SCIM

You can use SCIM protocol to import users' digital identities from Okta (the source system) to Enterprise Application Access.

You can use EAA SCIM directory as the SCIM target and Okta as the SCIM source.

Prerequisite:
Sign in to your Okta account.

This integration supports endpoints compatible with the SCIM 2.0 specification.

STEP 1: Create a new SCIM directory of type Okta in Enterprise Center

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select Add New Directory (+).

  4. Enter name and description for directory.

  5. In Service Type select SCIM, and in SCIM Schema select Okta.

  6. Select Add New Directory.

  7. Open your new directory Settings > General and copy SCIM base URL . Save it for Okta SCIM provisioning in STEP 4.

  8. In General > Attribute Mapping set the following default User and Group mapping attributes:

EAA AttributesSCIM Attributes
First Namename.givenName
Last Namename.familyName
Emailwork emails.value
Phone Numberprimary phoneNumbers.value

ūüďė

Make sure that your Okta SCIM application contains the same set of attributes. See the Attribute mapping in STEP 4.

  1. In General select Create Provisioning Key.

  2. Enter name and description for the key and select confirm (‚úď).

  3. Copy Provisioning key by clicking on the copy to clipboard icon. Save it for Azure SCIM provisioning in STEP 4.

  4. In General > Login preference Attributes select either User principal name or Email to choose for a user a way to log in.

  5. Select Save.
    The newly created SCIM directory appears in Directories list in Identity & Users > Directories.

STEP 2: Add user and group accounts in Okta

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.

  2. To add an individual user account, go to Directory > People.

  3. Select Add Person and enter this data in the Add Person dialog:

    1. In User type, select User.

    2. Enter the user's data.

    3. Select Add User.

  4. To add a group account, go to Directory > Groups.

  5. Click Add Group and enter this data in the Add Group dialog:

    1. Enter the group's name and description.

    2. Select Add Group.

STEP 3: Create SCIM application in Okta

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.

  2. In Applications > Applications select Browse App Catalog.

  3. In Browse App Integration Catalog search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).

  4. To create a SCIM-type app, in SCIM 2.0 Test App (Header Auth) select Add.

  5. In Add SCIM 2.0 Test App (Header Auth) > General Settings define the name and the accessibility of your SCIM application:

    1. In the Application label, enter the application name.

    2. Accept default settings by clicking Next.

  6. In Sign-On Options you can define the way users log in to your integration. Select Secure Web Authentication, and next select Done to accept default settings.
    Your SCIM application created in the Okta Admin portal is now ready.

STEP 4: Configure provisioning in Okta

Follow these steps to enable the communication between Enterprise Application Access and Okta by providing your authentication properties.

  1. Sign in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.

  2. Go to Applications > Applications.

  3. In Applications search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).

  4. In Provisioning select Configure API Integration.

  5. In Provisioning select Enable API Integration.

Use the values you saved in STEP 1:

a. Paste your SCIM base URL into **Base URL**.

b. Paste your Provisioning key into **API Token**.

c. Select **Test API Credentials** to verify your credentials.

d. When you receive a confirmation, select Save.

Your Enterprise Application Access and Okta are now connected via SCIM protocol.

  1. In Provisioning you can configure the following settings:
  • To App. Here you can configure data that flows to the EAA service from Okta user profiles and through the integration.

  • To Okta. Here you can configure data that flows to Okta from the EAA service.

  • API Integration. Here you can modify your API authentication credentials.

  1. In To App select Edit to enable operations for your group's endpoint.

  2. Enable Create, Update and Deactivate Users, and select Save.

  3. Configure the Attribute mapping so that is consistent with default settings in Enterprise Application Access. For configuring with the default attributes in EAA (STEP 1.8), map the following attributes in Okta:

okta attributes mapped to EAA default attributesokta attributes mapped to EAA default attributes

ūüďė

Note

  1. In Okta, no "status" attribute is listed in the attribute mapping and is implicitly set from the Okta side.
  2. If there are any additional attributes that appear inside Okta Application, the admin must manually delete the attribute by clicking the X mark in the Attribute row, and clicking Remove Mapping in the dialog box.
  1. In Sign On select Email as the Application username format.

okta sign on tabokta sign on tab

  1. Your provisioning settings for your SCIM application are now configured. Next, you can optionally set up alias provisioning in the Okta Admin portal.

STEP 5: Assign groups to your SCIM application in Okta

Follow these steps to assign users to your SCIM application.

  1. Log in to your Okta account at https://<your tenant name>.okta.com. Select Admin to get into your administrator console.

  2. Go to Applications > Applications.

  3. Select Assignments to assign individual users or groups. To assign a group select Groups.

  4. In Assign SCIM app to Groups select Assign > Assign to Groups.

  5. In Assign SCIM app to Groups search for a group you want to provision, and select Assign.
    In Assign SCIM app to Groups you can enter additional information for the selected group. To continue select Save and Go Back.

  6. Select Done.
    In SCIM Assignment you can see the newly assigned group or groups.

  7. Go to Push Groups to push groups to Enterprise Application Access and enable group-based management.

  8. In Push Groups > Find groups by name enter and select the name of your assigned group.
    The name of the selected group appears below.

  9. To add more groups select Save & Add Another, and repeat the previous step.

  10. To accept default settings and confirm your groups select Save.

  11. For each of the selected groups, open the Push Status and select Push now to override the users and their privileges in Enterprise Application Access via immediate transfer from Okta.

ūüďė

If you get the error, BadRequest - invalidSyntax: 'password' is not a valid SCIM attribute or has no mapping configured contact support.