Okta integration
This guide highlights how to synchronize your application’s Okta directories using SCIM.
Last updated
This guide highlights how to synchronize your application’s Okta directories using SCIM.
Last updated
Copyright © 2023 configure8, Inc. All rights reserved.
If Okta is your identity provider, you can efficiently provision and manage users in your configure8 account. Using Okta's SCIM integration with configure8 enables Okta to serve as a single identity manager, add and remove users, and provision user groups. This is especially efficient for managing users at scale.
This topic describes how to use an Okta SCIM integration for automated provisioning in configure8. To configure this integration, you must take steps in both configure8 and Okta.
Requirements
You must be an Administrator in your Okta account, and you must be an Account Admin in configure8.
You need a configure8 API key and unexpired token that has all Users and User Groups permissions. API keys inherit permissions from the user they are associated with. If you use an API key for a service account, make sure the service account has all Users and User Groups permissions.
Single-Sign-On should be enabled and configured as a part of provisioning Okta application. How to set up SSO.
Okta app integration
To enable automated provisioning, you need to enable SSO and SCIM in configure8 dashboard and create an app in your Okta account.
Follow instructions How to set up SSO.
Log in to you configure8 admin administrator account and enable SCIM.
In your newly created configure8 app in Okta, go to the General tab, and click Edit under App Settings.
Enable SCIM provisioning and Save changes.
Go to your configure8 dashboard and create new API key with Write scope and Admin Role. Please make sure the created key doesn't have expiration. API key specification.
Go to your Okta new application and select Provisioning tab.
Select Integration menu item and populate SCIM connector base URL with https://app.configure8.io/public/v2/scim.
Set userName as a unique identifier.
Chose next Supported provisioning actions:
Import new users and profile updates
Push new users
Push profile updates
Push groups
Import groups
Select HTTP Header as Authentication Mode where Bearer is your configure8 API key created before.
Select To App and opt in next options: Create Users, Update User Attributes, Deactivate Users. Attributes Mapping doesn't require any changes.
(Optional). If you want to sync existing users and groups to Okta, you can open Import tab in created Okta application and click Import now. After the import is done and results are shown, just select all users and click Confirm assignments.
Okta SCIM provisioning
Once you have set up the SCIM integration between Okta and Configure8, administrators can perform the following actions in Okta:
Adding, removing, and editing group members. Group membership must be managed in Okta.
Renaming user groups. Groups can only be renamed in Okta.
Deleting user groups. Groups, created in Okta, can only be deleted in Okta. Imported groups from Configure8 to Okta can only be deleted in Configure8 dashboard because Okta marks imported groups as external and doesn't allow editing.
Editing user email addresses, full names, and group assignments.
You can't edit these user details (names, email) in Configure8 if the user was provisioned as part of an Okta-provisioned user group.
User group membership can be edited only in Okta.
You must use Okta to delete Okta-provisioned users. To delete an Okta-provisioned users, you need to follow the next steps: unassign them from the corresponding Okta app, remove unassigned users in Configure8 dashboard.
If an Okta-provisioned user group has the same name as an existing user group in Configure8, Configure8 retains both groups. To prevent confusion, you can rename the existing Configure8 group.
Be noticed, users and groups management, authorization and password management should be part of Okta identity provider. Next will be available as a part of SCIM provisioning:
Role and resource group assignments are not controlled in Okta. You must assign permissions to user groups in Configure8.
Provision individual users
You can provision individual users, without a group affiliation, in Configure8 from Okta. Users assigned to groups are provisioned with their group.
In your Configure8 Okta app, select Assignments.
Click on People in Filters.
Select Assign, and then select Assign to People.
Select the users you want to provision, and then select Assign.
Select Save and Go Back.
Select Done after you've finished assigning users.
You can use Okta to provision individual users or groups containing sets of users. If you use Okta to provision individual users directly to Configure8, these users initially have no user group assignment in Configure8. The user's group membership must always be managed through Okta.
Provision groups
You can provision Okta user groups in Configure8. To do this, you must assign groups to your Configure8 Okta app and then push the groups (and the group members) to Configure8.
In your Configure8 Okta app, select Assignments.
Select Groups in Filters.
Select Assign, and then select Assign to Groups.
Select the groups you want to provision, and then select Assign.
Select Save and Go Back.
Select Done after you've finished assigning groups. Groups with the Configure8 app assignment are shown under Groups. You can edit or delete groups from here as well.
Next, push your assigned groups to Configure8.
In your Configure8 Okta app, select Push Groups.
Select Push Groups, and then select Find groups by name or Find groups by rule.
Find the groups that you want to push.
After you've found all the groups you want to push, select Save.
Okta advises using separate groups for push groups and group assignments. Otherwise, memberships won't be accurately reflected without manual group pushes for membership changes.
RBAC
By default, provisioned users have User role in Configure8. To change a role you should use Configure8 dashboard and your Administrator account.
Configure8 Admins are still available to manage group owners and visibility control directly in Configure admin panel.
Deactivate or remove users
To deactivate a user you need to unassign this user from the Configure8 Okta application.
When the admin removes a user in Okta, this user won't deleted in Configure8, so you should go to Configure8 dashboard and remove deactivated user manually.
To delete an individual Okta-provisioned user (without a group affiliation), remove them from your Configure8 Okta app.
To delete a user provisioned through a group, remove them from the group in Okta.
To delete a user from Configure8, deactivate the user's Okta profile and delete this user in Configure8.
