Configuring Okta SCIM v2.0
Learn about syncing your user list with Okta SCIM v2.0
Introduction
This guide outlines how to synchronize your application's Okta directories using SCIM v2.0
To synchronize an Enterprise's users and groups provisioned for your application, you'll need to provide the Enterprise with two pieces of information:
- An Endpoint that Okta will make requests to.
- A Bearer token for Okta to authenticate its endpoint requests.
After completing step 1 below, both of these are available in your Endpoint's Settings in the Developer Dashboard.
Steps 2, 3, and 4 below will need to be carried out by the Enterprise when configuring your application in their Azure AD instance.
1
Login to your WorkOS Dashboard and select "Organizations" from the left hand navigation bar.
Select the organization you'll be configuring a new Directory Sync with.
Click "Add Directory".
Input the Organization's Company Name, Company Domain, and select "Okta SCIM v2.0" from the dropdown. Then, click "Create Connection".
You'll see WorkOS has created the Endpoint and Bearer Token which you will provide to Okta in the steps below.
We have support for whitelabeled URLs for Directory Sync endpoints. Contact us for more info!
2
NOTE: These Okta screenshots reflect the new Okta Admin UI, Okta plans to deprecate the Classic UI in October 2021.
Log in to the Okta admin dashboard and select "Applications" in the navigation bar.
Select your application from the application portal. The application will need to support OAuth Bearer Token validation.
In your application's Enterprise Okta admin panel, click the "Provisioning" tab.
Then, click "Configure API Integration" and check "Enable API Integration".
After that, copy and paste the Endpoint from your Developer Dashboard in the SCIM 2.0 Base URL field.
Then, copy and paste the Bearer Token from your Developer Dashboard into the OAuth Bearer Token field.
Click "Test API Credentials".
Click "Save".
The provisioning tab will now show a new suite of options which we'll utilize in the next Guide Section to continue provisioning your application.
4
In the "Assignments" tab, from the "Assign" dropdown, select "Assign to People".
Select users you'd like to provision. When you click 'assign' a lengthy form will open where you can populate all of the user's metadata:
Confirm the metadata fields, scroll down to the bottom, and press "Save and go back". Repeat this for all users and select 'Done'
Witness realtime changes in your WorkOS Developer Dashboard.
For pushing Groups, keep reading for the following steps which will outline pushing Groups from Okta:
In the "Push Groups" tab, from the "Push Groups" dropdown, select: "Find Groups by Name"
Search for the group you'd like to push and select it. Make sure the box is checked for "Push Immediately" and click "Save".
Witness realtime changes in your WorkOS Developer Dashboard.
When a user is removed from my Okta SCIM app, the dsync.user.deleted webhook isn't called - is this expected?
If a user is removed from the SCIM app in Okta, but not deleted from the Okta directory, you'll see a dsync.user.updated event. This is expected, because the user was just updated in Okta, not deleted from Okta. In this dsync.user.updated event, you should see the active attribute display as false, which is what you can programmatically use to block or delete the user in your app. You can find this active attribute in the raw_attributes of the webhook. An example Okta SCIM 2.0 webhook is displayed below:
Okta SCIM User Updated Webhook
{
"event": "dsync.user.updated",
"data": {
"directory_id": "directory_01ECAZ4NV9QMV47GW873HDCX74",
"id": "directory_user_01E1X56GH84T3FB41SD6PZGDBX",
"raw_attributes": {
"id": "directory_user_01E1X56GH84T3FB41SD6PZGDBX",
"name": {
"givenName": "Eric",
"familyName": "Schneider"
},
"active": false,
"emails": [
{
"type": "work",
"value": "[email protected]",
"primary": true
}
],
"locale": "en-US",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "[email protected]",
"externalId": "00u1e8mutl6wlH3lL4x7",
"displayName": "Eric Schneider",
"groups": []
},
"first_name": "Eric",
"emails": [
{
"type": "work",
"value": "[email protected]",
"primary": true
}
],
"username": "[email protected]",
"last_name": "Schneider"
}
}