Create SCIM app integrations with entitlement management

Okta provides an integration platform for System for Cross-domain Identity Management (SCIM) 2.0. This platform enables your app integration to import resources from and provision resources to third-party systems. These resources include users, groups, and entitlements. The integration framework conforms to the SCIM 2.0 standard and the core schema definitions for roles and entitlements.

The following procedure describes how to create an app integration with SCIM provisioning enabled. Then you can manage and automate the exchange of user identities between Okta and an associated cloud-based app or service. When an app integration uses entitlement management, attributes are discovered as part of the integration, and can't be added manually through the Okta Profile Editor.

Before you begin

  • Okta Identity Governance is required for entitlement management.

  • These steps assume that you have a functioning SCIM 2.0 server with entitlements support for your app that exposes the following endpoints:

    • /ResourceTypes
    • /Schemas (Optional. Needed if extensions unknown to Okta are used.)
    • An endpoint for each resource type that /ResourceTypes returned (for example, /Licenses)
  • Decide the type of authentication for your app integration. Available types are base authentication, header authentication, and OAuth header authentication.

  • Decide which resources to import and provision in your integration. Available resource types are Users, Groups, and Entitlements.

Create an integration

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click Browse App Catalog.
  3. Search the catalog for SCIM 2.0 with Entitlements Management. Choose the integration that uses your desired authentication method:

    • SCIM 2.0 with Entitlements Management (Basic Auth)
    • SCIM 2.0 with Entitlements Management (Header Auth)
    • SCIM 2.0 with Entitlements Management (OAuth Header Auth)
  4. Click Add Integration.
  5. Configure your general settings. Click Next.
  6. Configure your desired sign-on options. Click Done.
  7. Go to the General tab.
  8. Click Edit in the Identity Governance section.
  9. From the Governance Engine dropdown menu, select Enabled.
  10. Click Save. Refresh the page to view the Governance tab for the app integration.
  11. Go to the Provisioning tab.
  12. Select Configure API Integration, and then select Enable API integration.
  13. Enter the SCIM 2.0 Base Url for your app or SCIM server. For example,
  14. Enter the credentials required for your chosen authentication type. Click Test API Credentials to verify your credentials.
  15. Select Import Groups if the integration should import groups from the SCIM server. Otherwise, clear the checkbox.
  16. Click Save.

Completing the preceding steps creates an app integration that handles all provisioning communication between Okta and your SCIM server. The integration builder must handle any authentication or authorization that the downstream app requires.

Next steps

Configure provisioning for an app integration

If your integration doesn't behave as expected, contact Okta Support.

Related topics

Enable Governance Engine

Build a SCIM server with entitlements

RFC 7643: System for Cross-domain Identity Management: Core Schema

RFC 7644: System for Cross-domain Identity Management: Protocol