Okta (SCIM)
  • 09 Nov 2022
  • 3 Minutes to read
  • Contributors

Okta (SCIM)


This article describes how to set Okta as your identity provider, utilizing SCIM provisioning. This will allow a continuous synchronization of users between the SCIM Okta App and Perimeter81.
This guide includes:

  • Features
  • Requirements for user provisioning
  • Generating a SCIM Token on Perimeter81
  • Enable Okta SCIM 2.0 provisioning functionality
  • Known Issues

Supported Features

The following features are supported by Perimeter 81 at the moment:

  • Push Users: Users in Okta that are assigned to the Perimeter 81 application within Okta are automatically added as users in Perimeter 81.
  • Push Profile Updates: When user attributes are updated in Okta, they will be updated on Perimeter 81 as well.
  • Deactivate Users: When users are deactivated or removed from the SCIM App in Okta, they will be deleted within Perimeter 81 which prevents the user from logging in and frees up a user license.

Requirements

SCIM-based user provisioning is available to Perimeter 81's  Enterprise customers only. If you would like to upgrade your plan, you can reach out to your assigned Account Manager. If you are unfamiliar with your Account Manager, you can reach out to our support team at support@perimeter81.com, they will be able to assist you with contacting your assigned Account Manager.

Notes
  • To successfully integrate Okta and Perimeter 81 you must have admin access to both platforms.
  • You must have an active Perimeter81 Okta Application for Single Sign-On configured.

Creating the SCIM Token on Perimeter 81

  1. In your Perimeter81 Admin Console, navigate to Settings -> Identity Providers.
  2. Select Turn On next to SCIM Integration.
  3. Click on Settings.
  4. Click Generate Token; Once the SCIM Token has been generated, click Copy Token. Be sure to save this as it will be used later, once you close this pop-up, you will not be able to see the token anymore and if lost, a new token will need to be generated.

Enabling SCIM on Okta

  1. Log in to your Okta account. In the general Okta dashboard, select Applications, and using the list of shortcuts on the left-hand side of the screen, select Browse App Catalog. 
  2. Search for "Perimeter 81", select our application and click Add.
  3. Leave everything in its default settings and click Done.
  4. Click Provisioning
  5. Click Configure API integration

6. Check the Enable API Integration checkbox

7. Paste the Generated Token that you've obtained in step 4 in the Perimeter 81 platform SCIM configuration.

8. Click the Test API Credentials button.

9. Click the Save button.

10. Once Saved, click the To App link in the Settings left pan.

11. Click the Edit link on the right side of the pan.

12. Check the Enable checkbox for "Create Users", "Update User Attributes" and "Deactivate Users".

13. Click Save

Provisioning Users and groups

  1. In Okta, navigate to Applications and select your SAML 2.0 Application.
  2. Click Assignments.
  3. Assign the People or Groups you would like to get provisioned over to Perimeter81.
  4. Fill in any additional information and click Save and Go Back, Then click Done.
Assigning Users and Groups
  • Assigning the Application can also be done from the User menu on Okta by navigating to Applications on the User Profile and selecting Perimeter81.
  • Assigning the Application will sync the user Immediately. 
  • Removing the Assignment will delete the user within Perimeter 81 which prevents the user from logging in and frees up a user license.
Special Characters
  • The 'Name' field does not support the following special characters such as "@", "()", "#", "$", ".", and "!".
  • Only 'a-z', 'A-Z', and '0-9' are supported.

Troubleshooting and Known Issues

  1. To check if the provisioning was successful, in Okta- navigate to Dashboard -> Tasks.
  2. Any failed assignments should appear under Tasks. Clicking the failed task will show you the error.
    Perimeter 81 uses the email address of each user as the unique identifier of the tenant. This means that the Okta SCIM integration doesn't support email modification and updates.
    Should you require to modify the email address - please delete the user from the Perimeter 81 Admin console, then have it login to the platform with the new email address via Okta.
NOT_IN_ACCESS_GROUPS
  • This means that the user belongs to a group that is not permitted on Perimeter81.
  • To fix this issue, go to Settings -> Identity Providers and click the lock icon next to Okta:
  • Remove all groups from the list so that all users are allowed
  • Click Save. The menu should look like this:





Was this article helpful?