Understanding SCIM for OKTA
This guide delves into setting Okta as your identity provider, leveraging SCIM provisioning.
This integration facilitates continuous synchronization of users between the SCIM Okta App and Perimeter81.
The following features are supported by Perimeter 81 at the moment:
- Push Users: Users in Okta that are assigned to the Perimeter 81 application within Okta are automatically added as users in Perimeter 81.
- Push Profile Updates: When user attributes are updated in Okta, they will be updated on Perimeter 81 as well.
- Deactivate Users: When users are deactivated or removed from the SCIM App in Okta, they will be deleted within Perimeter 81 which prevents the user from logging in and frees up a user license.
SCIM-based user provisioning is available to Perimeter 81's Enterprise customers only. If you would like to upgrade your plan, you can reach out to your assigned Account Manager. If you are unfamiliar with your Account Manager, you can reach out to our support team at firstname.lastname@example.org, they will be able to assist you with contacting your assigned Account Manager.
- In your Perimeter81 Admin Console, navigate to Settings -> Identity Providers.
- Select Turn On next to SCIM Integration.
- Click on Settings.
- Click Generate Token; Once the SCIM Token has been generated, click Copy Token.Be sure to save this as it will be used later, once you close this pop-up, you will not be able to see the token anymore and if lost, a new token will need to be generated.
Enabling SCIM on Okta
- Log in to your Okta account. In the general Okta dashboard, select Applications, and using the list of shortcuts on the left-hand side of the screen, select Browse App Catalog.
- Search for "Perimeter 81", select our application and click Add.
- Leave everything in its default settings and click Done.
- Click Provisioning
- Click Configure API integration
6. Check the Enable API Integration checkbox
7. Paste the Generated Token that you've obtained in step 4 in the Perimeter 81 platform SCIM configuration.
8. Click the Test API Credentials button.
9. Click the Save button.
10. Once Saved, click the To App link in the Settings left pan.
11. Click the Edit link on the right side of the pan.
12. Check the Enable checkbox for "Create Users", "Update User Attributes" and "Deactivate Users".
13. Click Save
Provisioning Users and groups
- In Okta, navigate to Applications and select your SAML 2.0 Application.
- Click Assignments.
- Assign the People or Groups you would like to get provisioned over to Perimeter81.
- Fill in any additional information and click Save and Go Back, Then click Done.
- Assigning the Application can also be done from the User menu on Okta by navigating to Applications on the User Profile and selecting Perimeter81.
- Assigning the Application will sync the user Immediately.
- Removing the Assignment will delete the user within Perimeter 81 which prevents the user from logging in and frees up a user license.
- The 'Name' field does not support the following special characters such as "@", "()", "#", "$", ".", and "!".
- Only 'a-z', 'A-Z', and '0-9' are supported.
- Assign users or groups in Okta that you wish to provision to Perimeter81.
- Ensure that the 'Name' field does not contain unsupported special characters.
- Regularly check Okta's Dashboard -> Tasks for any failed assignments or errors.
- Note that the Okta SCIM integration doesn't support email modifications. If needed, delete the user from Perimeter 81 and have them log in with the new email address via Okta.
- To check if the provisioning was successful, in Okta- navigate to Dashboard -> Tasks.
- Any failed assignments should appear under Tasks. Clicking the failed task will show you the error.Perimeter 81 uses the email address of each user as the unique identifier of the tenant. This means that the Okta SCIM integration doesn't support email modification and updates.
Should you require to modify the email address - please delete the user from the Perimeter 81 Admin console, then have it login to the platform with the new email address via Okta.
- This means that the user belongs to a group that is not permitted on Perimeter81.
- To fix this issue, go to Settings -> Identity Providers and click the lock icon next to Okta:
- Remove all groups from the list so that all users are allowed
- Click Save. The menu should look like this: