On-premises provisioning architecture

The on-premises provisioning architecture consists of the following components: Okta, the Okta On-premises Provisioning Agent, a SCIM server or custom connectors, and on-premises applications. As shown in this illustration, all components except Okta are located behind a firewall.

When a new user is provisioned from Okta to an on-premises application (MySQL database) using a SCIM server, this is the typical workflow:

  • An Okta admin creates an app instance in Okta to represent the MySQL on-prem app.
  • The admin attempts to provision a new user by assigning an Okta user to the MySQL app on Okta. Okta creates a provisioning event (create new user). Okta provisioning fails when an application user custom schema contains only array attributes.
  • The provisioning agent polls Okta and finds the provisioning event. The provisioning agent translates the provisioning event to a SCIM request: HTTP POST to the /Users endpoint of the SCIM server.
  • When the SCIM server receives a POST made to /Users with a JSON-formatted SCIM representation of the user, it attempts to create that user in the on-premises application.
  • The SCIM server responds to the provisioning agent with the SCIM response message as mandated by SCIM protocol.

See also