Skip to main content
Version: Config V2

(Beta) User Provisioning (SCIM) with Okta

info

Beta Feature: SCIM provisioning is in public beta. It has been thoroughly tested with various Identity Providers. We're now collecting feedback from real-world usage to fine-tune the experience. Share your feedback here.

Introduction

Each Identity Provider requires specific information to configure a SCIM integration. The following guide will walk you through how you can connect ConfigCat with Okta via SCIM.

1. Create an Application in Okta

  • Log in to Okta, go to the admin Dashboard, select Applications, and click on Create App Integration.

    Okta applications

  • Select SAML 2.0 as the Sign-in method.

    Okta select SAML

  • Enter a descriptive App name, then click Next.

    Okta app name

The next step will guide you on how to collect the information required for the appearing Configure SAML section.

2. Configure SAML authentication for the Okta Application

3. Configure Provisioning (SCIM) for the Okta Application

  • Click on Edit at the App Settings.

    Okta edit app settings

  • Check the Enable SCIM provisioning checkbox, and hit Save.

    Okta enable provisioning

  • Gather the SCIM URL and the Token from the Authentication & Provisioning page in ConfigCat.

    SCIM URL and token SCIM token

  • Select the Provisioning tab and click on the Edit button.

    Okta edit provisioning

  • On the SCIM Connection section configure the following:

    • Add the SCIM URL from the ConfigCat Dashboard as the SCIM connector base URL.
    • Set the Unique identifier field for users field to email.
    • Check the following Supported provisioning actions:
      • Push New Users
      • Push Profile Updates
      • Push Groups
    • Select the HTTP Header as the Authentication Mode.
    • Set the Token from the ConfigCat Dashboard as the HTTP Header Authorization.
    • Click on Save.

    Okta SCIM connection

  • Select the To App menu item and click on Edit.

    Okta To App edit

  • Check the Create Users, Update User Attributes, and Deactivate Users checkboxes, and hit Save.

    Okta To App save

4. Assign Users/Groups to Okta Application

To select users for synchronization into ConfigCat, you have to assign their Okta group to the Application.

  • Select the Assignments tab, click on the Assign dropdown, and select Assign to Groups.

    Okta assign groups

  • Click the Assign button on those groups whose members you want to sync to ConfigCat.

    Okta assign group

The above action starts the synchronization of the selected users but not their groups.

caution

Okta does not support using the same Okta group for assignments and for syncing group-member relations. You need to create a separate group that is used exclusively for syncing group-member relations. These groups are called Push Groups in Okta.

To learn more, see Okta's documentation about Push Groups.

To enable group syncing, create separate groups for the users that you want to sync and add these new groups to the application as Push Groups.

  • Go to the Push Groups tab, click on the Push Groups dropdown, and select Find groups by name.

    Okta push groups

  • Select the group that you want to push, and click on the Save button.

    Okta add push group

  • Make sure that the created push group's status is active.

    Okta push group active

  • You should see each synced group and user on ConfigCat's Authentication & Provisioning page.

5. Next Steps