On this page

Connect your SCIM API service to Okta

This guide teaches you how to create and configure SCIM integrations, and check the attributes and their corresponding mappings in the Okta console.

Getting connected

Make sure your SCIM implementation passes all the Runscope tests before integrating it with Okta. For more information on testing your SCIM implementation, see Prepare your SCIM API service

Begin by signing up for an Okta developer account (opens new window).

  1. Sign up for an Okta developer account (opens new window).

  2. Click the link in the signup email to open your Admin Console.

  3. Select Applications > Applications.

  4. Click Browse App Catalog.

  5. Search for either "SCIM 2.0" or "SCIM 1.1" depending on the version of SCIM supported by your server. After searching you see template applications for each of the three authentication methods used to connect to your SCIM implementation: Basic Auth, Header Auth, or OAuth Bearer Token.

  6. Click Add on the desired template application for your integration and finish adding the template application.

  7. On the General Settings page: Set the name of your application, choose if it's hidden from general and mobile users, and choose if users' are automatically signed in from the landing page. Click Next.

  8. Choose the sign in method for your integration on the Sign-On Options page. Select either SAML or SWA. For guidance on choosing the access method, see Applications topic (opens new window). Click Done to create the integration.

  9. Click the Provisioning tab, then in the main panel click Configure API Integration. Select the Enable API Integration checkbox. Enter the base URL for your SCIM server. Configure the credential options based on the previously chosen authentication method:

    • Basic Auth: Enter the the username and password for the account that handles the create, update, and deprovisioning actions of your SCIM implementation.
    • HTTP Header: Enter a bearer token for accessing your SCIM implementation.
    • OAuth: Enter the OAuth token for accessing your SCIM implementation.

    Test the credentials by clicking Test API Credentials, which attempts to connect to Okta. If there's an error, check the credentials entered above.

    Click Save to complete the API integration.

  10. On the Assignments tab, ensure that the right users and groups in your org are assigned to the app integration. For instructions on how to assign the app integration to individual users and groups, see the Assign app integrations (opens new window) topic in the Okta product documentation.

SCIM integration troubleshooting

If you experience any difficulties when creating your SCIM integration in Okta, check out the system log information available in the Okta Admin Console.

  1. In the Admin Console, go to Applications > Applications.
  2. Select your Okta integration to open the integration settings page.
  3. Click View Logs to open the System Log.

The system log captures all events in your developer org for the previous seven days. This information is invaluable to troubleshoot any connection or authentication issues between Okta and your application. See System Log (opens new window) in the Okta product documentation.

Configure your Okta integration

Now that you have created an integration within your Okta org, you need to configure the SCIM options for that integration. These settings tell your Okta integration how to handle provisioning between the users in your downstream SCIM app and their Okta user profiles.

On the Provisioning tab of your Okta integration page, there are now three options listed in the SETTINGS panel:

  • To App
  • To Okta
  • API Integration

To App

This page contains settings for all information that flows from Okta user profiles and through this integration downstream to your application.

Click Edit to make changes to the following sections.

  • Create Users: Assigns a new account in your downstream application for each user managed by Okta. Okta doesn't create a new account if it detects that the username specified in Okta already exists in your application. The user's Okta username is assigned by default.

    In addition to the user profile, Okta sends a random password in its request to create a new user.

  • Update User Attributes: Syncs any updates made to the profiles of users assigned to the integration and sends those changes to your downstream application. Profile changes made in your application are overwritten with their respective Okta profile values.

  • Deactivate Users: Automatically deactivates user accounts in the downstream application when either the integration is removed from a user profile in Okta or if the Okta account is deactivated.

    Okta can also reactivate the user account in the downstream application if the integration is later reassigned to a user in Okta.

  • Exclude Username Updates: Prevents your downstream application profile from overwriting the Okta user profile when using the Profile Push (opens new window) feature.

  • Sync Password: Ensures that a user's application password is always the same as their Okta password, or alternatively, allows Okta to generate a unique password for the user. See Synchronize passwords (opens new window).

  • Profile Attribute Mappings: Edit attributes and mappings through the Profile Editor. See Check the attributes and corresponding mappings or Work with profiles and attributes (opens new window) in the Okta product documentation.

To Okta

This page contains settings for all information that flows from your application upstream into Okta.

Click Edit to make changes to the following sections.

  • General: Schedules imports and dictates a username format for imported users. You can also define a percentage of acceptable assignments before the import safeguards (opens new window) feature is automatically triggered.

    If the Okta username is overridden due to mapping from a provisioning-enabled app, the custom mapping appears in this section.

  • User Creation & Matching: Sets up matching rules to use when importing users from your application. Establishing matching criteria allows you to specify how an imported user is defined when creating a new user or mapping to an existing Okta user.

    • Imported user is an exact match to Okta user if: Sets the matching criteria to determine when an imported user matches to an existing Okta user. To consider the new imported user an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.

    • Allow partial matches: Permits partial matching when the first and last name of an imported user match those of an existing Okta user, but not the username or email address.

    • Confirm matched users: Automates the confirmation or activation of existing users. If the option isn't selected, matches are confirmed manually.

    • Confirm new users: Automates the confirmation or activation of a newly imported user. If this option is selected, you can clear it during import confirmation. Note that this feature doesn't apply to users who already exist in Okta.

  • Profile & Lifecycle Sourcing: Allows your downstream application to be a source for Okta user profiles. If enabled, your application appears in the list of profile sources on the Profile Sources (opens new window) page.

    • Allow <app> to source Okta users: Enables profile sourcing and determines what happens when a user is deactivated or reactivated in your application. Only the highest priority profile source for that Okta user can deactivate or suspend an Okta user. To verify the highest priority profile source, check the Profile Sources page for your integration.

    • When a user is deactivated in the app: Select Do Nothing to prevent activity in your application from controlling the user life cycle when a user is removed from your application. This option still permits profile source control of attributes and mappings.

      The other options are to deactivate or suspend the Okta user profile if the user is removed from your downstream application.

    • When a user is reactivated in the app: Determines if deactivated or suspended Okta user profiles that are assigned to your Okta integration should also be reactivated when they have been reactivated in your downstream application.

      Note When a user is reactivated in your application, the user profile must be an exact match to the Okta profile for the reactivation to occur in Okta. If any user profile is not an exact match, then after importing the reactivated users, the user profiles appear in Pending Activation state.

  • Import Safeguards: Defines the maximum percentage of users in your org that can be left unassigned while still allowing the import to proceed. App-level and org-level safeguards are enabled by default and set at 20 percent.

  • Inline Hooks: Configures custom logic to the process of importing new users into Okta from a downstream application. You can program the hooks to resolve conflicts in profile attributes and control whether imported users are treated as matches for existing users. To enable an import inline hook, see Inline hooks.

  • Okta Attribute Mappings: Edit attributes and mappings through the Profile Editor. See Check the attributes and corresponding mappings or Work with Okta user profiles and attributes (opens new window) in the Okta product documentation.

API Integration

If your API authentication credentials change at any point, this panel allows you to modify any of the authentication settings needed to connect to your SCIM application.

Check the attributes and corresponding mappings

When you add a SCIM template integration to your development org, it comes with base attributes set by default. The user schema in your SCIM application might not support all of these attributes. It is important that you go through the steps below to ensure that the integration you're submitting to Okta for review reflects the attributes supported by your application.

Note: Confirm your attributes and mappings before you submit your integration for review, or your submission will be returned by the Okta OIN team with a request to update your attributes.

Delete attributes

Before you can delete an attribute, you first need to remove the mapping for that attribute.

  1. From the Admin Console, open your SCIM integration.

  2. Go to the Provisioning tab. Under the Settings section, click To App.

    Displays the Provisioning > To App tab.

  3. Scroll to the Attribute Mappings section. Look for the attribute that you want to delete and then click the corresponding X.

    Displays the Attribute Mappings screen.

  4. Click OK to confirm that you want to remove the mapping for the attribute that you selected.

    Repeat steps 3 and 4 until you remove all the mappings for the attributes that you want to delete.

  5. After removing all the mappings for the attributes that you want to delete, click Go to Profile Editor in the Attribute Mappings section.

  6. In the Profile Editor, look for the attribute that you want to delete, and click the corresponding X.

    Displays the Profile Editor > Remove Attribute screen.

  7. Click Delete Attribute to confirm that you want to remove the attribute.

    Repeat steps 6 and 7 for all the attributes that you want to delete.

Add attributes

  1. From the Admin Console, open your SCIM integration.

  2. Go to the Provisioning tab. Under the Settings section, click To App.

  3. Scroll to the Attribute Mappings section. Click Go to Profile Editor.

  4. In the Profile Editor, click Add Attribute.

  5. Enter the information for the new attribute that you’re adding and then click Save. For example:

    Displays the Add Attribute dialog

    Note: The Scope property determines whether the attribute that you are adding can be assigned at a group level or just per user. If you want your admins to be able to assign a value for this attribute at a group level, don't select the User personal checkbox.

  6. After adding an attribute, you can add a mapping for that new attribute.

Map attributes

  1. From the Admin Console, open your SCIM integration.

  2. Go to the Provisioning tab. Under the Settings section, click To App.

  3. Scroll to the Attribute Mappings section. Look for the attribute that you want to update and click Edit.

    Displays the Attribute Mappings > Edit Attribute screen.

  4. In the dialog that appears, there are two dropdown fields. In the first dropdown menu, select Map from Okta Profile. In the second dropdown menu, choose the Okta profile attribute that you want to map the SCIM attribute from. Click Save.

    Displays the Map Attribute dialog.

  5. Repeat steps 3 and 4 for all other SCIM attributes that you want to map (from Okta to your application).

  6. After you update the mappings from Okta to your application, click To Okta under the Settings section.

  7. Scroll to the Attribute Mappings section. Look for the attribute that you want to update and click Edit.

  8. In the dialog that appears, there are two dropdown fields. In the first dropdown menu, select Map from ${App Name} App Profile. In the second dropdown menu, choose the Okta profile attribute that you want to map the SCIM attribute to. Click Save.

  9. Repeat steps 7 and 8 for all other SCIM attributes that you want to map (from your application to Okta).

Attribute support

You only want to include the attributes that you support in your current user schema. To ensure that the attributes are being sent properly to and from Okta:

  1. When assigning a user to the SCIM integration that you added in your dev org, ensure that all expected attributes are populated for that user.

  2. After the user is pushed to your SCIM application, check that all attributes are populated in your SCIM repository.

  3. If your integration supports User Imports, try importing one user from your application. Check the imported user and ensure that the values for supported attributes are reflected in that imported user's account in Okta.

    1. From your Admin Console, select Directory > People. The list of Okta users for your org appears.

    2. Find the user that you imported and click the user's name.

    3. After the user account appears, click Profile. The Profile screen shows the user's attributes. Verify that the supported attribute values were imported properly.

      Displays the User Profile Attributes dialog.

      Your Profile Mapping template can always be updated in the future.

      As mentioned in the adding and deleting attributes sections, you can set whether the attribute you are adding is set per user, or for both per user and group. This is set using the Scope attribute. If you want the attribute you are adding to be set strictly per user, you need to check the User personal checkbox for the Scope attribute. If you want to give admins the ability to set the attribute both per user or per group, leave this checkbox empty.

Next steps

Now that you've successfully created a SCIM integration within Okta, the next step is to Test your Okta SCIM integration.