Create a SCIM integration using AIW
An application that has System for Cross-domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). Identity Management (SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process.) provisioning enabled manages and automates the exchange of user identities in cloud-based apps and services. For more details about how SCIM works, see SCIM-based provisioning integration.
Before you begin
Support for SCIM provisioning integrations created with the AIW requires that the feature be enabled. If the SCIM provisioning option does not appear in your integration's settings page, contact Okta support to determine if this feature can be activated for your orgThe Okta container that represents a real-world organization..
To enable SCIM provisioning, you need to first create an SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM application.
Profile Mastering is not supported with the SCIM AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Wizard. If you need this functionality in your SCIM integration, create your integration using one of the SCIM test templates in the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. catalog, then submit your integration through the OIN Manager as a private integration. Okta analysts will work with you to get the integration added to your org.
Task 1: Create an SSO integration that supports SCIM
Using the App Integration Wizard, create a new custom SSO integration using either SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. or SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.:
Adding SCIM provisioning to an OpenID Connect (OIDCOpenID Connect (OIDC) is an authentication layer on top of OAuth 2.0, an authorization framework. The standard is controlled by the OpenID Foundation.) integration is not currently supported.
Task 2: Add SCIM provisioning
- After your integration is created, click the General tab.
- Click Edit
- In the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. section, select SCIM and click Save.
Task 3: Choose provisioning options
- From the integration's settings page, choose the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
- Click Edit.
- Specify the SCIM connector base URL and the field name of the unique identifier for your users on your SCIM server.
- Under Supported provisioning actions, choose the provisioning actions supported by your SCIM serverAn end point that can process SCIM messages sent by the provisioning agent. This can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application..
- Import New Users and Profile Updates — This option populates the Settings > To Okta page. You can specify the details of how Okta imports new users and user profile updates. For details on importing people, see Import users from an app.
- Push New Users — This option populates the Settings > To App page, and contains settings for all the user information that flows from Okta into your SCIM app. For details, see Provisioning and Deprovisioning.
- Push Profile Updates — This option populates the Settings > To App page, and contains settings for all profile information that flows from Okta into your SCIM app. For details, see Provisioning and Deprovisioning.
- Push GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. — This option populates the Settings > To App page, and contains settings for all group information that flows from Okta into your SCIM app. For details, see Using Group Push.
- Use the AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. Mode drop-down box to choose which mode you want Okta to use to connect to your SCIM app.
- Basic Auth — To authenticate using Basic Auth mode, you need to provide the username and password for the account that handles the create, update, and deprovisioning actions on your SCIM server.
- HTTP Header — To authenticate using HTTP Header, you need to provide a bearer token that will provide authorization against your SCIM app. See Create an API token for instructions on how to generate a token.
- OAuth2 — To authenticate using OAuth2, you need to provide the access token and authorization endpoints for your SCIM server, along with a clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ID and a client secret.
- If your integration does not behave as expected, contact Okta support at email@example.com for assistance.
- Assign and unassign apps to users
- Assign apps to groups
- Submit an app integration to the OIN