User Provisioning through Okta using SCIM
This document will guide you through the detailed steps to setup a working SCIM integration between Okta and SafeNet Trusted Access (STA) using Okta Provisioning Service. If you have existing users in Okta, you can take advantage of the Okta Provisioning Service to provision users and groups from Okta to STA.
The Okta Provisioning Service is based on the System for Cross-Domain Identity Management (SCIM) 2.0 protocol. It can connect to the SCIM API for STA user management endpoint to automatically create, update, and remove/deactivate users and groups.
Perform the following steps to setup your SCIM integration between Okta and STA:
Get an API key and the SCIM endpoint for STA for authorization
The Okta Provisioning Service needs credentials to connect to the SCIM API for STA. Since it uses the SCIM protocol, it needs an API key and an SCIM API endpoint, which you can get from the STA Access Management console:
-
To generate an API key for your tenant, refer to Generate an API key.
-
To copy the SCIM API endpoint, refer to Endpoint URL.
You will need these when you create a SCIM provisioning integration in Okta. When you create it, you can test the credentials to ensure that the connection is successful.
Create an Application in Okta
To setup the SCIM integration between Okta and STA, the first step is to add an application, representing STA in Okta. Perform the following steps to add an application in Okta:
-
Sign in to your Okta admin console.
-
On the left pane, go to Applications > Applications.
-
Click Browse App Catalog.
-
Under Browse App Integration Catalog, search for SCIM 2.0 Test App and then select SCIM 2.0 Test App (OAuth Bearer Token).
-
On the SCIM 2.0 Test App (OAuth Bearer Token) window, click Add Integration.
-
Under General Settings, in the Application label field, enter a name for your application (for example, SafeNet Trusted Access). Select the other configurations available in the tab as per your requirement and then click Next.
-
Under Sign-On Options, select the Secure Web Authentication option and click Done.
Configure the connection to STA
Once you have added an application representing STA in Okta, perform the following steps to configure an API integration for provisioning in your application.
-
Go to the Provisioning tab of your application and then click Configure API Integration.
-
Select the Enable API Integration check box and perform the following steps:
-
In the SCIM 2.0 Base Url field, paste the SCIM API ENDPOINT URL that you have obtained in the Get an API key and the SCIM endpoint for STA for authorization section.
-
In the OAuth Bearer Token field, enter the API KEY that you have obtained in the Get an API key and the SCIM endpoint for STA for authorization section.
-
Click Test API Credentials to test the connection with STA.
-
On successful verification, click Save to save the configuration.
In case of any error, ensure that the credentials you have entered are correct and try again.
-
Configure your SCIM integration in Okta
After enabling a SCIM integration in Okta, the next step is to configure the integration with the available SCIM options.
On the Provisioning tab, under Settings, there are two options that are used to manage the provisioning in your SCIM integration:
To App
This section controls the user’s profile information that flows from Okta to STA through your SCIM integration. Click Edit and enable the options as per your preferred configuration. Do not forget to click Save to apply your changes.
For more information about the settings present in this section, refer to the Okta documentation.
The Sync Password option will not make any changes to the users’ password in STA.
For information related to Attribute Mappings, refer to the Attributes Mapping section in Appendix.
To Okta
This section controls the user’s profile information that flows from STA to Okta through your SCIM integration. Click Edit for respective sections and enable the options as per your preferred configuration. Do not forget to click Save to apply your changes.
For more information about the settings present in this section, refer to the Okta documentation.
For information related to Attribute Mappings, refer to the Attributes Mapping section in Appendix.
Assign application created in Okta to users
After you have performed all the required configuration steps, you need to assign users to the application that you have created in the Create an Application in Okta section. Only those users will be provisioned to STA who have the application assigned to them.
Perform the following steps to assign the application to users or groups:
-
Go to the Assignments tab and click the Assign drop down.
-
From the Assign drop down, select either Assign to People or Assign to Groups based on your preference.
Assign to Groups option is only for the bulk assignment of users. It does not push groups to STA.
-
An Assign SafeNet Trusted Access to People window will appear with the list of available users or groups based on the choice selected in the previous step. Click Assign, next to your desired user or group.
-
Scroll down and then click Save and Go Back.
-
Repeat the steps 3-4 to assign the application to other users. Click Done, once you have assigned the application to the desired users or groups.
Users with an inactive status in Okta are not pushed to STA.
To know more about the other ways to assign application to the users or groups, refer to the Assign app integrations section in the Okta documentation.
After assigning the application to users, you can verify the settings by performing the following steps:
-
Go to the STA Management console and select the Assignment tab.
-
In the Search User module, you can find the list of users that are pushed from Okta. Alternatively, you can search for individual users to verify if the users are provisioned.
Unassign users from the application
Perform the following steps to remove users or groups from the application:
-
Go to the Assignments tab and in the left pane,
-
Select People and then click (displayed against the desired user) to remove the individual user's access to the application.
-
Select Groups and then click (displayed against the desired group) to remove the group's access to the application.
If a user is unassigned from the application or the user's account is deactivated in Okta, STA automatically locks the user's account.
To verify, go to the STA Management console > Assignment tab and validate that the user’s Account State is set to Locked.
If a user does not have a token, the Account State will not be displayed in STA even if the user’s account is locked.
The user's account can again be unlocked in STA whenever the application is re-assigned to the user in Okta.
If the user has not enrolled for a token in STA and is unassigned from the application in Okta, then the user needs to reset its token once the application is re-assigned.
-
Push Groups to STA
Group push tab lets you push existing groups from Okta to STA. Perform the following steps to enable group push for your integration:
-
Go to Push Groups tab and click the Push Groups drop down.
-
From the Push Groups drop down, select either Find groups by name or Find groups by rule, based on your preference.
-
Find groups by name lets you search for the groups by name.
-
Find groups by rule lets you create a search rule to find groups in Okta.
Clear the Push group memberships immediately check box (for both the options) if you do not want the membership of the selected group to be pushed immediately to STA.
-
-
Search for the required group in the search box and select the group from the result. Click Save or Save & Add Another based on your preference.
• Pushing groups to STA will only push the group attributes and not the users in it to STA.
• After pushing the groups to STA, altering the group membership may cause synchronization errors.
To know more about the Group push feature and its limitations, refer to Manage Group Push in the Okta documentation.
To verify the group push to STA, perform the following steps:
-
Go to the STA Management console and select the Groups tab.
-
Under Group Maintenance > Internal, you can see all the Okta groups that are pushed to STA.
Import Users from STA to Okta
Import feature in Okta lets you import users and groups from STA to Okta. Imports can be scheduled in Okta using the settings in the To Okta section above.
However, if you have not scheduled an import, you can manually import users from STA to Okta by performing the following steps:
-
Go to the application and under the Import tab, click Import Now.
This triggers an import task and will display the number of users and groups that are scanned from STA.
-
Click Ok. You will be presented with the list of users. Select the check box for the user you want to import and then click Confirm Assignments.
The displayed import result may vary based upon the options that you have selected in the To Okta section above.
-
Click Confirm to confirm the import.
To verify the import of users in Okta, go to Directory > People in your Okta admin console. Here, you can search and verify the imported users.
Appendix
Attributes Mapping
In the Provisioning tab, under Settings, you can modify the attribute mappings. You can find the STA Attribute Mappings and the Okta Attribute Mappings in the To App and To Okta sections respectively. For the steps to configure the attributes mappings in Okta, refer to the Check the attributes and corresponding mappings section in the Okta documentation.
-
For information about the SCIM attributes supported by STA, refer to SCIM core user attributes.
-
For information about the SCIM attributes not supported by STA, refer to Unsupported core user attributes.
-
For information about the custom user attributes in STA, refer to STA custom user attributes.
Troubleshooting your SCIM Integration
If you face any issues while configuring the SCIM integration in Okta, you can check the system logs available in Okta by clicking View Logs in the admin console.