# SCIM Setup for Okta

### Overview

Companies using Okta can easily integrate with MangoApps, allowing automatic creation of user accounts within MangoApps whenever a new user is added to Okta, eliminating the need for manual account creation, saving time, and reducing errors between applications. 

<figure><img src="/files/9uIN0RUuwuiqWL0Z5xSc" alt="" width="375"><figcaption></figcaption></figure>

This integration offers several benefits: automated user provisioning streamlines account creation and deactivation; simplified user updates ensure any changes made to user information in Okta, such as email address, name, or department, are automatically reflected in MangoApps through SCIM; and improved user deactivation enables Okta to automatically deactivate a user's account in MangoApps through SCIM when a user leaves the organization or access needs to be revoked, helping maintain data security and compliance.

***

### Supported Features

#### SAML :

* SP-initiated SSO
* IdP-initiated SSO
* JIT (Just In Time) Provisioning

#### SCIM:

* Create users
* Update user attributes
* Deactivate users

***

### Prerequisite Roles

**Okta Administrator:** The user performing the configuration from the Okta side.

**MangoApps Administrator:** The user performing the configuration from the MangoApps side.

**Supported Okta Plan:** Workforce Identity Cloud.

***

### How to Configure SAML 2.0 for MangoApps

#### Create App Integration in Okta

Login to the Okta portal using administrator credentials and navigate to the Admin tab. From here, access the **Applications** tab from the left-hand side panel.

Click the **Browse App Catalog** button along the center toolbar.

<figure><img src="/files/A1JpSMmgnbMBrR1CeEQn" alt="" width="563"><figcaption></figcaption></figure>

Under the **Browse App Catalog** page, search for the **MangoApps** application. Select the MangoApps application and click on the **Add Integration** button.

<figure><img src="/files/LgHG0IcCZkcLp9xURqOv" alt="" width="563"><figcaption></figcaption></figure>

Add the application label and domain URL, then click on the **Next** button. On the next page, click the **Done** button to save the application. (If your domain is `https://okta.mangoapps.com/u`, enter: `okta.mangoapps.com`)

<figure><img src="/files/TOgZHQao2q2eeoUsfsh1" alt="" width="563"><figcaption></figcaption></figure>

Once the app is successfully created, switch to the **Sign On** tab and copy the metadata URL. This will be required for the MangoApps side configuration.

<figure><img src="/files/Dvdqdrx8nsZmGuffh0TX" alt="" width="563"><figcaption></figcaption></figure>

***

#### Enable Integration in MangoApps

Login to the MangoApps portal using admin credentials and access the **SSO** menu option within the **Admin Portal**.

Select the **Connections** section and switch to the **SAML** tab.

<figure><img src="/files/dj1yVdrDTftV0k0DpVOb" alt="" width="563"><figcaption></figcaption></figure>

Click the **Add SSO Connection** option then select **Okta** as the identity provider from the dropdown option. Name the application.

<figure><img src="/files/vIdyFKG0f0FGDZs37M09" alt="" width="563"><figcaption></figcaption></figure>

Add the metadata URL to the **Metadata** section and click on the **Read from URL** button.

Click the **Read from Metadata URL** button to read/add the required configuration fields in MangoApps. Afterwards, click on the **Save** button.

<figure><img src="/files/6MZ5JOKjrdsf5ZGAaH4O" alt=""><figcaption></figcaption></figure>

***

#### Enable SCIM Provisioning in MangoApps

Login to MangoApps with as an admin user. Navigate to the **SSO** section within the **Admin Portal** and switch to the **SAML** tab.

Select the newly created Okta application and click **Configure User Mappings**.

<figure><img src="/files/X8pYfpJqOk1jN2lPAY3s" alt="" width="563"><figcaption></figcaption></figure>

Under configure user mapping, select **SAML Provisioning with SCIM** and switch to OAuth 2 connection.

<figure><img src="/files/S7chnTTnDLlak4saaDVo" alt="" width="563"><figcaption></figcaption></figure>

Copy the **Base URL** to use while enabling **SCIM in Okta** in the below steps and save the configuration.

***

#### Enable SCIM Provisioning from Okta

Login to Okta using administrator credentials and **navigate**. Access the **Applications** tab from the **Admin Portal**. Select the application created for MangoApps integration and navigate to the **Provisioning** tab.

Click the **Configure API Integration** button.

<figure><img src="/files/BX3KF3MMpwJLOPmbfAJU" alt="" width="563"><figcaption></figcaption></figure>

Select the **Enable API Integration** box (you may need to scroll down) and add the **Base URL** (found in the above steps).

<figure><img src="/files/nTO7qgsy0IxaZKowLk8g" alt="" width="563"><figcaption></figcaption></figure>

Click the **Authenticate with MangoApps** button to authenticate the URL. Upon successful authentication, save the settings.

Once the setting has been saved, navigate back to the **Provisioning** tab and click on the **Edit** button under the **To App** section.

<figure><img src="/files/bzToeD8f1Fs67RvxpMwg" alt="" width="563"><figcaption></figcaption></figure>

Enable all the required provisioning for the application and save the settings.

<figure><img src="/files/oumrQXQJyVkKZXcnjw2c" alt="" width="563"><figcaption></figcaption></figure>

After the setting has been saved, switch to the application again and select the **Assignments** tab to assign users manually or using groups.

<figure><img src="/files/J7kQcJTrx3ehZNxlYA4K" alt="" width="563"><figcaption></figcaption></figure>

The assigned user account(s) should now be created within the MangoApps system.

<figure><img src="/files/irtt9lfUumyWcAncXMEN" alt="" width="563"><figcaption></figcaption></figure>

***

### End User Experience

On successful Okta-MangoApps integration, user accounts will be automatically created in the MangoApps system.

#### Attribute Mapping

**Department:** When a user's department is updated, they will be assigned membership in the new department in addition to their existing department group affiliation.

***

### Testing Considerations

An administrator can do the following to test the integration:

* Verify authentication credentials configured on Okta for SCIM provisioning.
* Verify automatic user creation.
* Verify automatic profile updates.
* Verify automatic user deactivation/reactivation.

***

### Security Considerations

Okta admins should only share the metadata URL with the admin of MangoApps.

The MangoApps admin should only share the SCIM OAuth 2 base URL with the admin of Okta.

***

### Rollout Recommendations

Enable this integration in a sandbox environment and validate user creation and profile updates.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://guides.mangoapps.com/integrations-guide/single-sign-on/sso-integrations-by-provider/sso-integrations-for-okta/scim-setup-for-okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.