Create a SCIM integration using AIW


An application that has System for Cross-domain Identity Management (SCIM) provisioning enabled manages and automates the exchange of user identities in cloud-based apps and services. For more details about how SCIM works, see SCIM-based provisioning integration.

Before you begin

Support for SCIM provisioning integrations created with the AIW requires that the feature be enabled. If the SCIM provisioning option does not appear in your integration's settings page, contact Okta support to determine if this feature can be activated for your org.

To enable SCIM provisioning, you need to first create an SSO integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM application.

Info

Note

Profile Mastering is not supported with the SCIM App Wizard. If you need this functionality in your SCIM integration, create your integration using one of the SCIM test templates in the OIN catalog, then submit your integration through the OIN Manager as a private integration. Okta analysts will work with you to get the integration added to your org.

Task 1: Create an SSO integration that supports SCIM

Using the App Integration Wizard, create a new custom SSO integration using either SAML or SWA:

Info

Note

Adding SCIM provisioning to an OpenID Connect (OIDC) integration is not currently supported.

Task 2: Add SCIM provisioning

  1. After your integration is created, click the General tab.
  2. Screenshot of the SCIM app wizard, showing the General app settings tab, highlighting the SCIM provisioning button.
  3. Click Edit
  4. In the Provisioning section, select SCIM and click Save.

Task 3: Choose provisioning options

  1. From the integration's settings page, choose the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
  2. Click Edit.
  3. Specify the SCIM connector base URL and the field name of the unique identifier for your users on your SCIM server.
  4. Under Supported provisioning actions, choose the provisioning actions supported by your SCIM server.

    Screen shot of the SCIM Connection panel, highlighting the supported provisioning actions: import new users and profile updates, push new users, push profile updates, and push groups.

    • Import New Users and Profile Updates  — This option populates the Settings > To Okta   page. You can specify the details of how Okta imports new users and user profile updates. For details on importing people, see Import users.
    • Push New Users  — This option populates the Settings > To App  page, and contains settings for all the user information that flows from Okta into your SCIM app. For details, see Provisioning in applications.
    • Push Profile Updates  — This option populates the Settings > To App  page, and contains settings for all profile information that flows from Okta into your SCIM app. For details, see Provisioning in applications.
    • Push Groups  — This option populates the Settings > To App  page, and contains settings for all group information that flows from Okta into your SCIM app. For details, see About Group Push.
  5. Use the Authentication Mode drop-down box to choose which mode you want Okta to use to connect to your SCIM app.
    • Basic Auth  — To authenticate using Basic Auth mode, you need to provide the username and password for the account that handles the create, update, and deprovisioning actions on your SCIM server.
    • HTTP Header  — To authenticate using HTTP Header, you need to provide a bearer token that will provide authorization against your SCIM app. See Create an API token for instructions on how to generate a token.
    • OAuth2  — To authenticate using OAuth2, you need to provide the access token and authorization endpoints for your SCIM server, along with a client ID and a client secret.

Next steps