Add SCIM provisioning to app integrations
An app that has System for Cross-domain Identity Management (SCIM) provisioning enabled manages and automates the exchange of user identities in cloud-based apps and services. For more details about how SCIM works, see SCIM-based provisioning integration.
Before you begin
The provisioning feature must be enabled to add support for SCIM provisioning to integrations that were created with the AIW. If the SCIM provisioning option doesn't appear on your app integration's settings page, contact Okta support to determine if this feature can be activated for your org.
To enable SCIM provisioning, you need to first create an SSO integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM app.
Profile Sourcing isn't supported for integrations created using the AIW. If you need this functionality in your SCIM integration, create your integration using one of the SCIM test templates in the OIN catalog. Submit your integration through the OIN Manager as a private integration. Okta analysts can work with you to get the integration added to your org.
Create an SSO integration that supports SCIM
Using the App Integration Wizard, create a custom SSO integration using either SAML or SWA:
Adding SCIM provisioning to an OpenID Connect (OIDC) integration isn't currently supported.
Add SCIM provisioning
- After you create your integration, click the General tab.
- In the App Settings section, click Edit.
- In the Provisioning field, select SCIM, and then click Save.
Choose provisioning options
- Click the Provisioning tab. The SCIM connection settings appear under .
- In Edit. , click
- Specify the SCIM connector base URL and the field name of the unique identifier for your users on your SCIM server.
- Under Supported provisioning actions, choose the provisioning actions supported by your SCIM server.
- Import New Users and Profile Updates: This option populates the page. You can specify the details of how Okta imports new users and user profile updates. For details on importing people, see Import users.
- Push New Users: This option populates the page, and contains settings for all the user information that flows from Okta into your SCIM app.
- Push Profile Updates: This option populates the page, and contains settings for all profile information that flows from Okta into your SCIM app. See Profile Push.
- Push Groups: This option populates the page, and contains settings for all group information that flows from Okta into your SCIM app. See Group Push.
- Use the Authentication Mode dropdown menu to choose which mode you want Okta to use to connect to your SCIM app.
- Basic Auth: To authenticate using Basic Auth mode, provide the username and password for the account that handles the create, update, and deprovisioning actions on your SCIM server.
- HTTP Header: To authenticate using the HTTP Header, provide a bearer token that authorizes the user against your SCIM app. See Create an API token for instructions on how to generate a token. After you generate the token, paste it in the Authorization field.
- OAuth2: To authenticate using OAuth 2.0, provide the access token and authorization endpoints for your SCIM server, along with a client ID and a client secret.
Next steps
- If your integration doesn't behave as expected, contact Okta Support.
- Assign applications to users
- Assign an app integration to a group
- Submit an app integration to the OIN