Disclaimer
It is outside the scope of ValueBlue to provide documentation and guidance on how SCIM provisioning works in Okta. We therefore advise you to refer to the official Okta documentation for in-depth concepts and technical information. Here we provide you with the guide on how to set up an Okta app with System for Cross-domain Identity Management (SCIM) provisioning.
Establish a connection
Please follow the steps below to add a SCIM application in Okta:
1. Sign in to the Okta Developer Edition org with your administrator account.
2. Click Admin in the top-right corner of the page.
3. Select Applications > Applications.
4. Click Browse App Catalog.
5. Search for "SCIM 2.0". Select the template "SCIM 2.0 Test App (OAuth Bearer Token)" and click + Add Integration.
6. On the General Settings tab, type in the name for your application, select if the application icon should be displayed to users and select if users should be automatically logged in from the landing page. Click Next.
7. On the Sign-On Options tab, select the sign in method for your integration and click Done to create the integration.
8. Click the Provisioning tab and from the main panel click Configure API Integration.
9. Select the Enable API Integration checkbox.
10. Enter the base URL for your SCIM server, which will be:
https://services.eu.bluedolphin.app/scim/v2/{tenantname}/ for EU and
https://services.us.bluedolphin.app/scim/v2/{tenantname}/ for US. Provide your tenant's name in the {tenantname} parameter.
11. For the OAuth Bearer Token, use the API key secret that you have generated in the Admin module of BlueDolphin. The steps for creating API keys are described here. You will need a key with the scope User provisioning.
12. Click Test API Credentials to test the connection. If you receive the confirmation that there are no errors detected, click Save to complete the integration.
Set up provisioning
To App
On the Provisioning tab of your Okta integration, select To App from the left-side panel and click Edit to be able to make changes.
Select the checkboxes to enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save.
To Okta
In the To Okta tab, configure settings for all information that flows from your application to Okta.
More on configuring these can be found here.
Initial provisioning of users and groups
You should have already created users or groups (with the roles assigned) that you now want to assign to the roles for your new application.
Go to the Assignments tab, click the Assign button, and then select Assign to Groups.
Assign to Groups capability lets you assign groups (roles in BlueDolphin) to SCIM user provisioning in Okta.
Click Assign next to each group that you want to assign to the application, customize group assignments and go back. Once you have finished the customization, click Done to confirm your action.
Next, go to the Push groups tab, click the Push Groups button, and select Find groups by name.
Click the group push settings button , uncheck the option Rename app groups to match group name in Okta and click Save.
Type in the name of the Okta group that you want to add to a BlueDolphin role. If a group doesn't exist, create a new group by going to Directory > Groups and then clicking the button Add group.
When you have selected the group to push, switch to Link group (see the screenshot below).
From the list of available roles in BlueDolphin, select one to link to the group in Okta. For example, we will link the group 'BlueDolphin users' in Okta to the role 'Default users' in BlueDolphin.
Select Save & Add Another to continue or Save when you have finished adding Okta groups.
Finally, on the Provisioning tab in the application, scroll down and click Force Sync to initiate the sync process. Please note that the initial sync may take some time to complete.
Attribute mappings
To edit attributes and mappings, go to the Provisioning > To App.
From the section SCIM 2.0 Test App Attribute Mappings, click Go to Profile Editor (see the screenshot below).
From the list of attributes, delete all attributes except: userName, givenName, familyName, and emailType (see the screenshot below).
In the table below you can find required attributes and their matching values across different systems:
User Attribute in Okta | Required | SCIM /Users Attribute | User Attribute in BlueDolphin |
userName | Yes | userName | |
givenName | Yes | name.givenName | First name |
familyName | Yes | name.familyName | Last name |
emailType | Yes | emails[type eq “work”].value |
Comments
0 comments
Please sign in to leave a comment.