Provision users from Okta using SCIM

You can use the SCIM protocol to import user's digital identities from Okta (the source system) to your ‚ÄčAkamai MFA‚Äč SCIM application. With SCIM provisioning, you can automatically import user accounts, account privileges, and group memberships.

For existing user profiles, SCIM provisioning ensures the automatic synchronization between both systems when a change to the user data is detected in the source system.

You can also use the attribute mapping capability to customize and match user attributes exchanged during the provisioning process between Okta and your SCIM application.

ūüďė

The automatic provisioning described in this section was implemented using a minimally viable subset of SCIM specifications. In particular, ‚ÄčAkamai MFA‚Äč doesn't support the full capabilities of the SCIM filtering parameter.

Prerequisites

  • Sign up for an Okta account.

  • If you want to send the enrollment email to users provisioned from your Okta directory, make sure that each user has a valid email address. Users who don't have the email attribute field populated in their Okta user profile won't receive the enrollment email.

ūüďė

This integration supports endpoints compatible with the SCIM 2.0 specification.

Add SCIM provisioning

Follow this procedure to set up your SCIM service in ‚ÄčAkamai MFA‚Äč and obtain your authentication token and base URL. Your authentication credentials let you enable the import of user data from Okta to ‚ÄčAkamai MFA‚Äč in the following steps of the provisioning process.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. On the User Provisioning page, select the SCIM 2.0 provisioning type and enter its unique name.

  4. Click Save and Deploy.

    You've just generated your API Token and Base URL that you will use in the following configuration steps.

On the provisioning configuration page, you can also enable these settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ‚ÄčAkamai MFA‚Äč. With this setting, new users receive an email with the enrollment link that lets them register their authentication device in the ‚ÄčAkamai MFA‚Äč service once their accounts have been imported from Okta.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ‚Äč‚ÄčAkamai MFA‚Äč. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned) by the SCIM client will cause them to have their provisioning method point to that SCIM integration. This allows the SCIM integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.

ūüďė

Please note that with Read All Users enabled, the sync operation doesn’t claim users unless it detects a change in their records (such as a different email address).

  1. Read All Users. Toggle on to let the SCIM integration read every user record in the system, including those created by other SCIM instances or by EAA.

ūüďė

If you have existing users on ‚ÄčAkamai MFA‚Äč that you want your provisioning solution to take control of, we recommend that you first enable Include Manually Provisioned Users, verify that the users and groups were claimed, and only then enable Read All Users. Otherwise users present in both systems may not sync.
If you manage users via SailPoint, and want to allow it to read every user regardless of how they were provisioned, enable Read All Users.

  1. Click Save and Deploy.

    You've created a new SCIM service in ‚ÄčAkamai MFA‚Äč that you will connect with the Okta SCIM application in the following steps.

Create SCIM application in Okta

Follow these steps to configure a SCIM application in the Okta Admin portal.

  1. Log in to your Okta account at https://<your tenant name>.okta.com. Click Admin to get into your administrator console.

  2. Go to Applications > Applications.

  3. Click Browse App Catalog.

  4. On the Browse App Integration Catalog page, search for SCIM, and from the list of results select SCIM 2.0 Test App (Header Auth).

  5. To create a SCIM-type app, on the SCIM 2.0 Test App (Header Auth) page, click Add.
    The Add SCIM 2.0 Test App (Header Auth) page opens.

  6. In General Settings, you can define the name and the accessibility of your SCIM application.

    1. In Application label, enter the application name.
    2. In Application Visibility, enable Do not display application icon to users and Do not display application icon in the Okta Mobile App.
    3. Accept other default settings by clicking Next.
  7. In Sign-On Options, you can define the way users log in to your integration. Select Secure Web Authentication, and click Done to accept default settings.

    You've just created a SCIM application in the Okta Admin portal.

Configure provisioning in Okta

Follow these steps to enable the communication between ‚ÄčAkamai MFA‚Äč and Okta by providing your authentication properties.

  1. Log in to your Okta account at https://<your tenant name>.okta.com. Click Admin to get into your administrator console.

  2. In the navigation menu, select Applications > Applications.

  3. On the Applications page, search for SCIM and from the list of results select your SCIM 2.0 Test App (Header Auth) app.

  4. Go to Provisioning.

  5. Click Configure API Integration.

  6. On the Provisioning page, select Enable API Integration.

  7. Paste the Base URL and API Token that you previously copied in ‚ÄčAkamai MFA‚Äč integration page, and click Test API Credentials to verify your credentials.

  8. When you receive a confirmation, click Save.

    You've just connected the ‚ÄčAkamai MFA‚Äč and Okta via SCIM protocol.

    The Provisioning tab contains three options that let you configure the following settings:

    • To App. Here you can configure data that flows to the ‚ÄčAkamai MFA‚Äč service from Okta user profiles and through the integration.

    • To Okta. Here you can configure data that flows to Okta from the ‚ÄčAkamai MFA‚Äč service.

    • API Integration. Here you can modify your API authentication credentials.

  9. Go to the To App tab.

  10. Click Edit to enable operations for your groups endpoint.

  11. Enable Create, Update and Deactivate Users, and then click Save.

    You've just configured provisioning settings for your SCIM application. The following section provides you with the optional steps to set up alias provisioning in the Okta Admin portal.

Provision aliases in Okta

If you need to support multiple usernames, you can import alternate usernames (aliases) into ‚ÄčAkamai MFA‚Äč. Either the primary username or an imported alias will point to the same account when a user uses ‚ÄčAkamai MFA‚Äč.

ūüďė

This step is optional, only a primary username is required for the service to function.

Provisioning aliases contains these two steps:

  • Defining a new custom user attribute
  • Defining mapping for your new custom attribute

Define a new custom user attribute

  1. In the Okta Admin portal, from the navigation menu, select Applications > Applications.

  2. On the Applications page, search for SCIM and from the list of results select your SCIM 2.0 Test App (Header Auth) app.

  3. On the SCIM 2.0 Test App (Header Auth) page, go to Provisioning.

  4. Scroll down to the Attribute Mappings section, and click Go to Profile Editor.

    This opens the Profile Editor page that contains default settings for the user profile. In the Attributes section, you can view the list of existing base and custom user attributes and their parameters.

    To configure a new custom attribute, you have to add and define the attribute and map it in the Okta directory.

  5. To add your alias attribute to the Okta user profile, click Add Attribute (+).

    This opens the Add Attribute form.

  6. In the Add Attribute form, fill out these fields. You may need to check the Okta documentation to learn how to create multivalued attributes in SCIM user objects.

    1. In Display name, you can enter any name. For example, enter Alias 1. This field contains a label that appears in the UI.

    2. In Variable name, you can enter any name. For example, enter alias or alias_1. This field contains the name of the new alias attribute.

    3. In External name, enter your alias attribute. For example, enter aliases.^[type=='email'].value, where aliases refers to the ‚ÄčAkamai MFA‚Äč custom attribute, and type=='email' identifies a set of aliases provisioned for the user profile using the mapping logic that you will define in the following step. The right-hand side of the comparison with type can be changed as long as it is contained in quotation marks ' '.

    4. In External namespace, enter the following string: urn:ietf:params:scim:schemas:core:2.0:User.

    5. Click Save to submit the form.

    To learn more about adding custom attributes in Okta, see Add custom attributes to an Okta user profile.

Define a mapping for your new alias attribute

  1. In the Okta Admin portal, from the navigation menu, select Applications > Applications.

  2. On the Applications page, search for SCIM, and from the list of results select your SCIM 2.0 Test App (Header Auth) app.

  3. On the SCIM 2.0 Test App (Header Auth) page, go to Provisioning.

  4. Scroll down to the Attribute Mappings section, and click Go to Profile Editor.

  5. In Profile Editor, scroll down to Attributes and click Mappings.

  6. Click the Okta User to SCIM 2.0 Test App (Header Auth) tab.

  7. Scroll to the bottom of the list. In the right-hand column, configure alias mapping, determining how to create alternate usernames for the users based on data already present in the user account. For example, enter String.append(user.firstName, "@acme.com"), where, if the user's first name is bob, this expression will produce a username alias of bob@acme.com for the user.

  8. Click Save Mappings, and apply the latest changes by clicking Apply updates now.

    To learn more about the expressions that you can use to create custom attributes, see the Okta tutorial about the expression language.

    Your custom attribute has been added and saved to the list of existing attributes.

ūüďė

Not setting up this programmatic mapping will allow you to specify it manually when assigning the user or at a later date. Alias fields that are left unspecified and unmapped will not be synced to ‚ÄčAkamai MFA‚Äč. You can remove the string that represents the alias in Okta and the alias will be removed from the user in ‚ÄčAkamai MFA‚Äč.

You've just set up alias provisioning that will automatically import users' aliases to corresponding users' accounts in ‚ÄčAkamai MFA‚Äč the next time the users are synced.

You can now go back to your SCIM application and assign users.

Assign groups to your SCIM application in Okta

Follow these steps to assign users to your SCIM application.

  1. Log in to your Okta account at https://<your tenant name>.okta.com. Click Admin to get into your administrator console.

  2. In the navigation menu, select Applications > Applications.

  3. Go to Assignments.

  4. In Assignments, you can select and assign individual users or groups. To assign a group, click Groups.

  5. In the Assign SCIM app to Groups dialog, click Assign > Assign to Groups.

  6. In the Assign SCIM to Groups dialog, search for and select a group that you want to provision, and click Assign.

  7. In the Assign SCIM app to Groups dialog, you can provide additional information for the selected group. To continue, click Save and Go Back.

  8. In the Assign SCIM to Groups dialog, click Done.

    The SCIM Assignment page displays the newly assigned group(s).

    Now you push groups to ‚ÄčAkamai MFA‚Äč to enable group-based management.

  9. Go to the Push Groups tab.

  10. Click Push Groups > Find groups by name.

  11. On the Push groups by name page enter and select the name of the previously assigned group.

    The name of the selected group appears below.

  12. To add more groups, click Save & Add Another , and repeat the previous action.

  13. To accept other default settings and confirm the selected group(s), click Save.

  14. For each of the selected groups, open the Push Status menu and click Push now.

    You've just enabled the immediate transfer of the selected memberships from the Okta Admin portal. Users and their privileges are now overwritten in ‚ÄčAkamai MFA‚Äč.


Did this page help you?