Inbound SCIM for Okta Workforce Connections
Before you start
Enable Okta Workforce Identity Cloud as an identity provider by following the instructions on the Identity Providers help page.
This integration will require two applications to be registered in Okta Workforce: the OpenID Connect integration and the SCIM integration. The same users and groups must be assigned to both. To eliminate this requirement and streamline the setup process for your customers, submit your app to the Okta Integration Network.
This section describes how to configure a custom OpenID Connect and SCIM app integration in an Okta Workforce Identity Cloud tenant, which can be used to provision users to your Auth0 SCIM endpoint.
For information on configuring a SAML and SCIM integration with Okta Workforce Identity Cloud, see Inbound SCIM for Okta Workforce SAML Connections instead.
Configure SCIM settings in Auth0
Launch the Auth0 Dashboard and go to the Authentication > Enterprise > Okta Workforce > [your-connection] > Provisioning.
Disable Sync user profile attributes at each login unless you want to sync additional attributes at login.
In the same section, enable Sync user profiles using SCIM.
On the Mapping tab, ensure the SCIM attribute containing the User ID is set to externalId.
You can also check Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes.
Retrieve SCIM endpoint URL and token
In the Auth0 dashboard, browse to the SCIM Setup tab and copy the SCIM Endpoint URL, then paste it somewhere safe.
Select Generate New Token and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default requires scopes used by Okta Workforce are
get:users
,post:users
, andput:users
.
Configure SCIM in Okta Workforce for OIDC Apps
Confirm that an OpenID Connect application has already been registered in the Okta Workforce tenant for OIDC-based user authentication.
Confirm that your OpenID Connect application has disabled Federation Broker Mode.
Register a second application in the Okta portal by selecting Applications > Applications, then choose Create App Integration, Secure Web Authentication, and Next.
On the General App Settings page, set a name and a URL, then select Do not display application icon to users. The URL entered is not used in the SCIM integration.
Select Finish.
Navigate to the General tab, then choose Edit and go to the Provisioning section.
Choose SCIM, then Save.
Navigate to the integration's Provisioning tab and then the Integration tab.
Select Edit, then go to the SCIM connector base URL section and enter the SCIM Endpoint URL value you copied earlier.
For Unique identifier field for users, enter userName.
Under Supported provisioning actions, select Push New Users and Push Profile Updates, then choose HTTP Header as the Authentication Mode.
Paste the token value into the Authorization field, picking Test Connection Configuration if you want to test the connection. Choose Save.
Browse to Provisioning > Settings > To App and choose Edit.
Enable Create Users, Update User Attributes, and Deactivate users. Choose Save.
Under the Attribute Mappings section, use the X button to delete the following lines, which are not needed and may cause issues during PUT operations:
Attribute | Value |
---|---|
Primary email type | (user.email != null && user.email != '') ? 'work' : ‘' |
Primary phone type | (user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘' |
Address type | (user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘' |
Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta's help section.
You can now test user provisioning in the Assignments tab and test update operations by editing the user attributes in the Directory > People section of your Okta admin portal.