Links
Comment on page

SCIM Setup for Okta

Introduction

The System for Cross-domain Identity Management (SCIM) specification is a provisioning protocol to create, retrieve, update, and deactivate users and groups between Okta and downstream applications and directories.

Configure SCIM Provisioning in Okta

You can configure user mappings to sync user profiles via SAML based provisioning with SCIM.
Login to the Okta Portal with administrator rights.
Go to the Application Tab.
From the Application Tab, click Create New App.
In the Search Tab, enter SCIM in the field. Select the required version of SCIM from the list:
  • SCIM Provisioner with SAML (SCIM 2.0 Header Auth) – Recommended.
  • SCIM Provisioner with SAML (SCIM 1.1 Basic Auth)
Click Add Integration.
General Settings:
You need to create a profile first, to create a profile, follow the steps below:
  1. 1.
    Enter the Application label in the field. Example, PetSmart SCIM Demo.
  2. 2.
    Select the Application Visibility.
  3. 3.
    Click Next.
Sign-On Option
In the Default Relay State field, enter the ACS URL from the MangoApps application. (Refer Add SSO Connection)
From the Credential details field,
  1. 1.
    Enter the default application username, such as Okta Username.
  2. 2.
    Select Create and Update to Update Application Username On field.
  3. 3.
    Click Done.
Your application is created On Okta.
Click Sign On and go to SAML Signing Certificate to download the certificate details and to view the metadata. We will need the details while adding the SSO connection in the portal (refer Add SSO Connection).
Note: Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. Upload the metadata file to MangoApps Okta connector that you will create from the MangoApps Admin portal.
Enable API Connection:
To enable the API Connection:
Go to Provisioning and enable API Integration.
  1. 1.
    Enter the SCIM Base URL from the MangoApps. Refer to Configure Mapping to get SCIM Base URL.
  2. 2.
    Configure SCIM bearer token generated by MangoApps in your company’s Okta account.
  3. 3.
    Click Test API Credentials and click Save.
MangoApps is SCIM 2.0 compliant and supports user provisioning, user updates & user de-provisioning using SCIM protocol.
The following SCIM APIs are supported by MangoApps:
  • Get User With UserName Filter
  • Get User By ID
  • Create User
  • Update User
  • De-Activate/Activate User
  • Get Users
User de-provisioning / de-activation in MangoApps also happens in real time when the user is de-provisioned in Okta.
Custom Attribute
Go to Profile Editor>Directory>Okta.
Click Add Attribute.
  • Enter the Display name in the display field, for example, “Job Number”.
  • Enter the Variable name. Variable name is used to refer to this attribute in profile mapping and expression.
  • External Name filed is autofilled with the value.
  • External namespace property configured for the attribute in Okta. Refer to External Namespace for more information.
  • Click Save.
Your attribute is created.
Mapping
Go to Application and click your SCIM application.
Go to Provisioning.
Note: Make sure that you have enabled the integration to see the options:
To Okta and To App.
To Okta:
Select To Okta and click Show Unmapped Attribute to see our newly added attribute.
Click the pencil icon
to edit.
  • Select the attribute value Map from your SCIM DEMO Profile from the list.
  • Select the Job number.
  • Select Create for Apply On field.
  • Click Save.
Your mapping is complete.
Go to To App option:
  • Enable Provisioning from Okta.
  • Select the actions from the list:
    • Create User
    • Deactivate User
    • Update User
  • Click Save.
  • Click Show Unmapped Attribute to see our newly added attribute.
  • Click the pencil icon
    to edit.
  • Select the attribute value Map from your SCIM DEMO Profile from the list.
  • Select the Job number.
  • Select Create and Update for Apply On field.
  • Click Save.
Your mapping is complete.
Assign Users
  • Select people from directory. List of users displays.
  • Select any users and click Assign Application.
  • Click Done.
Note: Make sure that similar custom attribute of variable name created in Okta should match with MangoApps attribute.
Go to Modules>People>Full Profile and click Set UP Custom fields to add new field.
All the data, attribute, users’ profile is synced to MangoApps.
Edit Profile
  • Go to profile editor to edit your attribute and mapping.
  • Go to Profile and click Edit.
  • You can edit the Username, FirstName, LastName, Email, Title and many more fields.
  • Enter our custom Job number in the field and click Save.
  • Users profile is created and sync with MangoApps.
Note: You can validate the user’s profile in MangoApps by navigating to Users>Manage Users and search for User.

Add SSO Connection

This section describes the steps to configure SSO for MangoApps using an IDP.
Log in to the MangoApps Admin portal. Click on SSO, then click on SAML (under Connections). Click ‘Add SSO Connection’.
  1. 1.
    Select from a list of well-known IDPs.
  2. 2.
    Confirm the Application label. You can edit the default label.
  3. 3.
    (Optional) JIT has the ability to dynamically create user accounts for IDP authenticated users when they access MangoApps for the first time. For ex - with a just-in-time provisioning solution in place, when John accesses Mango's website for the first time, the SAML-based federated single sign-on process automatically creates John Doe's account and grants access to his requested resources.
  4. 4.
    Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. It can be read from URL or alternatively uploaded as a file.
  5. 5.
    Choose ‘Configure manually’ if the IDP Metadata isn’t available.
  6. 6.
    Enter the Entity ID/Issuer URL from the IDP side. An entity ID is a globally unique name for a SAML entity.
  7. 7.
    Copy the ACS URL and configure it on the IDP. ACS here is MangoApps (service provider's endpoint) URL that is responsible for receiving and parsing a SAML assertion.
  8. 8.
    Enter the SSO URL from IDP to redirect users to Authentication requests.
  9. 9.
    Enter a logout URL where users will be redirected after signing off from MangoApps.
  10. 10.
    Select a ‘User Identifier’ as one of ‘Email’ or ‘samAccountName’ or ‘EmployeeID’
  11. 11.
    Paste the x509 certificate from the IDP.

Configure User Mapping

Configure user mappings to sync user profiles via SAML supports two options:
  • SAML based provisioning
  • SAML based provisioning with SCIM
SAML based provisioning
  • In this the user provisioning and user profile sync happens when the user logs in successfully in MangoApps for the first time using SSO with Okta.
  • On every subsequent successful login, the user profile in MangoApps is also synched with Okta.
SAML based provisioning with SCIM
  • In this the user provisioning and user profile sync happens ahead of time via SCIM APIs integration.
  • User profiles in MangoApps are kept in sync in real time with Okta via SCIM APIs.
Steps:
Go to MangoApps Admin Portal, click SSO>CONNECTION>SAML> SAML IDP (Okta)>Configure User Mapping.
Select Sync user profile with SAML provisioning with SCIM.
SCIM Base URL: Copy the URL and enter it in the API Connection SCIM Base tab (Okta).
SCIM Bearer Token: Copy the token and enter it in the API Connection SCIM Bearer Token tab (Okta).