Connect to a SCIM connector

Create a SCIMSystem for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. It was created in 2011 as it became clear that the technology of the future would be cloud-based. SCIM communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps). In short, SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process. connector if your on-premises application does not support SCIM natively. A SCIM connector acts as a SCIM serverAn end point that can process SCIM messages sent by the provisioning agent. This can be an application that natively supports SCIM or a SCIM connector that acts as an intermediary between the provisioning agent and the on-prem application. and an intermediary between Okta and the on-premises application. The SCIM connector can be built using the Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. Connector SDK or any custom appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. or connector that can process SCIM messages. Typically you should install your SCIM connector on a web server that is accessible to your provisioning agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..

You can test your deployment using one of the example connectors that are packaged with the Okta Provisioning Connector SDK. For more information, see Create SCIM connectors for on-premises provisioning. After you have built and installed your connector, configure your app instance on Okta to communicate with your SCIM connector.On

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to ApplicationsApplications.
  2. Enter the name of your on-premises app in the Search field.
  3. Click the application name and click the Provisioning tab. Your system should detect the presence of the provisioning agent and instruct you to configure the SCIM connector.
  4. Click Configure SCIM Connector.
  5. Complete the following fields:
    • SCIM connector base URL: Enter the URL of the SCIM connector to which the provisioning agent forwards SCIM data.
    • Authorization type: Select Basic Auth (username and password), HTTP Header (HTTP header name and value), or None.
    • Basic Auth credentials: When Basic Auth is selected, enter the username and password of the web server that is hosting the SCIM connector.
    • HTTP header name and value: When HTTP Header is selected, enter the HTTP header name and header value.
    • Unique user field name: The SCIM property name of the Okta user who can be used to uniquely identify a user on the on-premises system (userName).
    • Accept user updates: Select this check box to update a user's app profile using data returned by the connector or SCIM server directly.
    • Timeout for API calls: Select the duration for a provisioning call to timeout when the SCIM endpoint does not respond.
    • Connect to the these agents: Select the provisioning agents with which you want to connect.
  6. Click Test Connector Configuration.
  7. If the test passes, click Save to save your settings. If the test fails, change your settings and try again.
  8. Note: If your SCIM connector has not implemented the UserManagementCapabilities method, Okta assumes all provisioning functions have been implemented. If you have implemented your own SCIM endpoint without using the Okta Provisioning Connector SDK, it is assumed that your SCIM connector or endpoint has implemented all provisioning functions. For the complete list of provisioning functions, refer to Build SCIM connectors for OPP using SDK.

Your on-premises system is now connected to Okta, and you can provision users and perform provisioning tasks. If you disable provisioning, the provisioning features will also be disabled, but you can re-enable it any time.