Create a SCIM integration using AIW

An application that has System for Cross-domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Identity Management (SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process.) provisioning enabled manages and automates the exchange of user identities in cloud-based apps and services. For more details about how SCIM works, see SCIM-based provisioning integration.

Before you begin

Support for SCIM provisioning integrations created with the AIW requires that the feature be enabled. If the SCIM provisioning option does not appear in your integration's settings page, contact Okta support to determine if this feature can be activated for your orgThe Okta container that represents a real-world organization..

To enable SCIM provisioning, you need to first create an SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM application.

Task 1: Create an SSO integration that supports SCIM

Using the App Integration Wizard, create a new custom SSO integration using either SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.:

Task 2: Add SCIM provisioning

  1. After your integration is created, click the General tab.
  2. Screenshot of the SCIM app wizard, showing the General app settings tab, highlighting the SCIM provisioning button.
  3. Click Edit
  4. In the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. section, select SCIM and click Save.

Task 3: Choose provisioning options

  1. From the integration's settings page, choose the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
  2. Click Edit.
  3. Specify the SCIM connector base URL and the field name of the unique identifier for your users on your SCIM server.
  4. Under Supported provisioning actions, choose the provisioning actions supported by your SCIM serverAn end point that can process SCIM messages sent by the provisioning agent. This can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application..

    Screen shot of the SCIM Connection panel, highlighting the supported provisioning actions: import new users and profile updates, push new users, push profile updates, and push groups.

  5. Use the AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. Mode drop-down box to choose which mode you want Okta to use to connect to your SCIM app.

Next steps