/ /

Okta (SCIM) Setup Instructions

Updated 5 months ago

Table of Contents

Overview

Prerequisites

Configuring SCIM for Okta on Simpplr

Configure Okta for SCIM

Adding Standard and Custom Attributes

Disconnect Okta SCIM from Simpplr

Overview

SCIM (System for Cross-domain Identity Management) is a standardized protocol that automates the provisioning and de-provisioning of users between Okta and external applications. By setting up SCIM in Okta, organizations can ensure efficient user management, improve security, and maintain consistency across integrated applications.

Prerequisites

Before setting up SCIM in Okta, ensure the following:

  • Administrator access to Okta

  • The target application must support SCIM

  • SCIM API credentials (Base URL and API token) from the target application (Retrieval steps below)

Configuring SCIM for Okta on Simpplr

You'll need to access your Simpplr app first as the Application manager. 

  1. In Simpplr, from your user profile image, click Manage > Application > Integrations > People Data.
    okta scim 1.png
  2. Under SCIM Sources, click Add integration, then select Okta.

  3. Enter a unique name for the integration (e.g., Okta SCIM). Note that duplicate names are not allowed.


    okta scim 2.png

  4. Click Add, which will take you to the newly added integration screen.
    okta scim 3.png

  5. Click Generate token. This will display two key configurations:

    • SCIM Base URL: The endpoint URL used by the vendor to make API calls for testing connection, provisioning and syncing.

    • Token: The authentication token that Simpplr uses to validate incoming requests from the vendor for provisioning and sync operations.

  6. Copy and save both these generated points somewhere you can easily remember. You'll need them later on.

Configure Okta for SCIM

  1. Open the Okta developer console. You will need administrator access to complete the next steps.

  2. In the left hand, click on Applications. Now either select an existing application or create one.

  3. To create a new application:

    1. From the Applications page, click on Create App Integration.
      okta scim 5.png

    2. Select SAML 2.0 and click Next.

    3. Enter the desired App name and click Next.
      Okta SCIM 6.png

    4. Add dummy url values since you're only setting up SCIM.

    5. Select EmailAddress in Name ID format & Email in Application username.
      okta scim 7.png

      *In the case of migration from your old Salesforce Simpplr platform to the new AWS platform, the application username will be retained from the previous Salesforce app. 

    6. Scroll down and click Next.

    7. From the next screen, select This is an internal app that we have created and then Finish.
      okta scim 8.png

  4. In the General tab, click Edit in the App Settings section.

  5. Check Enable SCIM provisioning.
    okta scim 9.png

  6. Click Save.

  7. The page will reload and then you will see a provisioning section in the top. Click on the Provisioning tab.
    okta scim 10.png

  8. From SCIM Connection, click Edit.

    1. SCIM connector base URL - The SCIM Base URL retrieved from Simpplr App while setting up SCIM.

    2. In Unique identifier field for users, enter email.

    3. In supported provisioning actions, select appropriate options (preferred to select: Import New Users and Profile Updates, Push New Users, Push Profile Updates).

    4. From the Authentication Mode dropdown, select HTTP Header & paste the authentication token retrieved from Simpplr.
      okta scim 11.png

  9. Click Test Connector Config. On successful connection, you will get the below message:
    okta scim 12.png

  10. Close and click Save.

  11. Under the Provisioning tab, in the To App section, click Edit.

  12. Under Provision to app section, enable the required options:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users
      okta scim 13.png

  13. Scroll down and click on Save.

Create Role Field in Okta Profile

  1. To create the role field for user object in Okta, click on profile editor on the left-side nav bar.
    okta scim 14.png

  2. Click Okta in the Filters list.

  3. For Okta User (default), click Profile. If Profile is unavailable, click User (default).
    okta scim 15.png

  4. Click on Add Attribute.

  5. Fill the form with the following values:

    1. Data type: String

    2. Display name: Role

    3. Variable name: role

    4. Description: Simpplr application user roles (Preferred)

    5. Select Define enumerated list of values in Enum section.

    6. In Attribute members, enter the following:

      1. Display name : End User, Value : End User

      2. Display name : Application Manager, Value : Application Manager

    7. Attribute Required: Yes

  6. Click Save.
    okta scim 16.png

  7. Go back to Applications in the Applications section in the left sidebar.

  8. Select the newly created application. Go to the Provisioning tab, and from the To App section, scroll down and click Go To Profile Editor.
    okta scim 17.png

     

    Note:

    The username in the above screenshot is mapped to the field that was setup in the Sign On settings. Please ensure that the field (Application username field) is set to email instead of username as the Okta username is not always the same as the email setup in user profile.
    okta scim 18.png

  9. Here we will map the previously created role field to the application. To do this, click on Add Attribute button.
    okta scim 19.png

  10. Fill the form with the following values for creating role attribute:

    1. Data type: String

    2. Display name: Role

    3. Variable name: role

    4. External name : roles.^[primary==true].value

    5. External namespace : urn:ietf:params:scim:schemas:core:2.0:User

    6. Description: Simpplr application user roles (Preferred)

    7. Select Define enumerated list of values in the Enum section.

    8. In Attribute members, enter the following:

      1. Display name : End User, Value : End User

      2. Display name : Application Manager, Value : Application Manager

    9. Attribute Required: Yes

    10. Attribute type: Group
      okta scim 20.png

  11. Click Save.

  12. Click on Mappings in the same page.
    okta scim 21.png

  13. In the first tab, find the role in right column. In the corresponding left column, select appuser.role.
    okta scim 22.png

  14. Click on Save Mappings and then click on Apply Updates Now.

  15. Again click on mappings.

  16. Now click Okta user to <your application name>.
    okta scim 23.png

  17. Find the role on right-hand side. In the corresponding left column, select user.role.
    okta scim 24.png

  18. Click Save Mappings, then Apply Updates Now.

Adding Standard and Custom Attributes

    1. From the Okta SCIM app, select Provisioning, click on Go to Profile Editor, and then click on Add Attribute.

    2. In External namespace add everything before the final colon.

    3. In External name add the text after final colon.

      For example if the field mapping is:

      urn:ietf:params:scim:schemas:extension:simpplrapp:User:pronouns

      then External Namespace would be:

      urn:ietf:params:scim:schemas:extension:simpplrapp:User

      External Name would be pronouns

    4. If the field mapping is:

      urn:ietf:params:scim:schemas:extension:simpplrapp:66886f53-e818-46cc-b25d-25162482afbc:User:9754a987-7700-4177-ba4b-22219d99cd9d

      External Namespace would be:

      urn:ietf:params:scim:schemas:extension:simpplrapp:66886f53-e818-46cc-b25d-25162482afbc:User

      External Name would be:

      9754a987-7700-4177-ba4b-22219d99cd9d

      Okta scim 25.png

Now we will add mobile number field in Okta. Once again, click Add attribute.

  1. Fill in the form with the following data:

    1. Data type: String

    2. Display name: mobile

    3. visible name: mobile

    4. External name : phoneNumbers.^[type==mobile].value

    5. External namespace : urn:ietf:params:scim:schemas:core:2.0:User

    6. Description: Mobile number of the user (Preferred)

  2. Click Save.

  3. Click Mappings.

  4. Go to the second tab )i.e. Okta user to <your application name>).

  5. Find the mobile in right column and select user.mobilePhone in the left column.
    okta scim 26.png

  6. Click on Save Mappings, then Apply Update Now.

  7. Now to assign or to provision using SCIM, navigate to your application.

  8. Click on Assignments.
    okta scim 27.png

  9. Click Assign.

  10. Select Assign to People.

  11. Select the person and click Assign, then Save, then Done.
    okta scim 28.png

  12. Refresh the page. If there is no red symbol on the user you have assigned, it means the provisioning is successful.

  13. You can click on View logs from the application homepage to see the failure log if the assignment fails.
    okta scim 29.png

Disconnect Okta SCIM from Simpplr

To disconnect Okta SCIM, follow the steps below:

    1. Go to Simpplr. Click on Manage > Applications > Integrations > People data.

    2. Select the SCIM source, click on the three dots and click on Delete.

    3. Go to the Okta developer console.

    4. Click on Applications in the Application section from the left sidebar, then click General.

    5. In the App Settings section, click Edit.

    6. Uncheck Enable SCIM provisioning in the Provisioning section.

    7. Click Save, then click Remove Provisioning.

Was this article helpful?
Subscribe to receive updates on this article