Connect to a SCIM connector
A SCIM connector acts as both a SCIM server and as an intermediary between Okta and your on-premises app. You need to create a SCIM connector if your on-premises app doesn't support SCIM natively.
You can use the Okta Provisioning Connector SDK to build your SCIM connector or use any custom external application or connector that can process SCIM messages. Your SCIM connector should be installed on a web server that's accessible to your Okta Provisioning Agent.
You can test your deployment using the example connector that's included with the Okta Provisioning Connector SDK. See Create and test SCIM connectors.
After building and installing your connector, use this procedure to configure your Okta app integration to communicate with your SCIM connector.
- In the Admin Console, go to .
- Search for your on-premises app integration and select it.
- Go to the Provisioning tab. Your system should detect the presence of the Okta Provisioning Agent and instruct you to configure the SCIM connector.
- Click Configure SCIM Connector.
- Complete the following fields:
- SCIM connector base URL: Enter the URL of the SCIM connector to which the Okta Provisioning Agent forwards SCIM data. If you're using Okta Provisioning Agent version 2.1.0 or later, you can specify the SCIM version that the associated SCIM server uses. Do this by including /v1 or /v2 in the base URL to indicate that the server uses SCIM 1.1 or SCIM 2.0, respectively. If you don't specify the SCIM version, then SCIM 1.1 is used by default, which doesn't support entitlements.
Okta Provisioning Agent supports provisioning capabilities using SCIM 2.0, such as entitlement discovery, user creation/read/update/delete, and lifecycle management. It doesn't support push groups.
- Authorization type: Select Basic Auth (username and password), HTTP Header (HTTP header name and value), or None.
- Basic Auth credentials: When Basic Auth is selected, enter the username and password of the web server that is hosting the SCIM connector.
- HTTP header name and value: When HTTP Header is selected, enter the HTTP header name and header value.
- Unique user field name: The SCIM property name of the Okta user that can be used to uniquely identify a user on the on-premises system (for example, userName).
- Accept user updates: Select this option to update user app profiles in Okta using data from the connector or SCIM server.
- Timeout for API calls: Select the timeout duration for provisioning API calls. Provisioning calls time out after this period if no response is received from the SCIM endpoint.
- Connect to these agents: Select which Okta Provisioning Agents for which to connect your connector to use.
- SCIM connector base URL: Enter the URL of the SCIM connector to which the Okta Provisioning Agent forwards SCIM data. If you're using Okta Provisioning Agent version 2.1.0 or later, you can specify the SCIM version that the associated SCIM server uses. Do this by including /v1 or /v2 in the base URL to indicate that the server uses SCIM 1.1 or SCIM 2.0, respectively. If you don't specify the SCIM version, then SCIM 1.1 is used by default, which doesn't support entitlements.
- Click Test Connector Configuration.
- If the test passes, click Save to save your settings. If the test fails, change your settings and try again.
If the UserManagementCapabilities method isn't implemented for your SCIM connector, Okta assumes that all provisioning functions have been implemented. If you've implemented your own SCIM endpoint without using the Okta Provisioning Connector SDK, it's assumed that your SCIM connector or endpoint has implemented all provisioning functions. For a complete list of provisioning functions, see the Javadoc for SCIMService that's included with the SDK.
Your on-premises system is now connected to Okta, and you can provision users and perform provisioning tasks. If you disable provisioning, the provisioning features will also be disabled, but you can re-enable it at any time.