Configure SCIM for Okta

As part of the Okta Integration Network (OIN), Advanced Server Access can sync your users and groups from the Okta Universal Directory, which makes it easier to manage people, memberships, and roles across Advanced Server Access. Okta does this by using the System for Cross-domain Identity Management (SCIM) specification. This SCIM integration supports these features:

  • Create users: Users who are assigned to Advanced Server Access in Okta will be automatically created in Advanced Server Access.
  • Update user attributes: Changes to user attributes in Okta are propagated to the corresponding Advanced Server Access user.
  • Deactivate users: Users who are unassigned from Advanced Server Access in Okta are no longer able to access Advanced Server Access or resources that are protected by it.

To enable syncing from Okta, complete the following steps: 

  1. In the Okta admin dashboard, open the Okta Advanced Server Access application and click the Provisioning tab.
  2. Click Configure API Integration.
  3. Select Enable API Integration, then click Authenticate with Okta Advanced Server Access.
  4. Enter the name of your team in the Add a Team field, then click the arrow arrow button. The Grant Permissions window appears.
  5. Okta requests permission to manage users and groups using SCIM, and to create a service user. Enter a name for the service user in the Username field, then click Approve.
  6. Click Save when you're redirected to Okta.
  7. Click the Provisioning tab.
  8. Click To App.
  9. Click Edit.
  10. Select and enable Create Users, Update User Attributes, and Deactivate Users.
  11. Click Save.

Your Okta users are now directly provisioned to Advanced Server Access, and any change to a user in Okta is automatically reflected in Advanced Server Access.

Note

Any users who were assigned to Advanced Server Access before enabling provisioning in Okta will not be managed by Okta. To have Okta manage those users, you must unassign them and then reassign them to the Advanced Server Access application. It's recommended that you add users by group to make it easier to manage the assignments of many users.

Usernames in Advanced Server Access

By default, the local part of a user's Okta username is used for their server usernames in Advanced Server Access. For example, first.last is the local part of the Okta username first.last@example.com.

If a user's Okta username contains characters other than letters, numbers, periods (.), dashes (-) or underscores (_), then you must create a username that contains only those characters and assign it as the user's Advanced Server Access username in Okta.

The Unix and Windows server usernames are defined in Okta as UnixUserName and windowsUserName, respectfully. If no values are defined for them, Advanced Server Access creates them and replaces any periods in the Okta username with underscores to ensure the safest possible server usernames. For example, the Windows username derived from first.last@example.com is first_last. You can specify usernames with periods in the UnixUserName and windowsUserName fields, in which case Advanced Server Access will use the usernames as defined. Usernames are truncated to 32 characters for Unix usernames, and 20 characters for Windows usernames.

You can customize server usernames by configuring mappings for unixUserName and windowsUserName under the Provisioning tab of your Advanced Server Access instance in Okta. See Work with Okta user profiles and attributes.

 

Next steps

Configure group sync

Deploy an Advanced Server Access server