What is SCIM?
SCIM is an open standard for automating user provisioning across domains, reducing the time and complexity typically associated with onboarding.
It removes the need for manual user management and minimizes human error, meaning program admins can spend more time with learners
We also support syncing learner attributes including: First name, Last Name, Email Address, Job Role, Company, Business Unit and Team (and we plan to add more)
Prerequisites
In order to set up SCIM on Security Journey with Okta, you will need:
Security Journey
An account with Admin privileges
SSO enabled in the Admin Settings
Okta
Okta, version 2016.07 or later
A user with Application Admin privileges
Existing SSO SAML 2.0 Application setup for Security Journey
Supported Features
Our SCIM Integration support the following features:
Create Users
Update User Attributes
Deactivate Users
For more information on the listed features or terms, visit the Okta Glossary.
Configuration Steps
1. Login to Okta with your Admin account, navigate to Applications
2. Click "Create App Integration"
3. Choose "SAML 2.0"
4. Give the App a name
5. App visibility > Check "Do not display application icon to users"
6. Under the SAML settings > General > Single sign-on URL > enter placeholder or dummy URL
7. Then click "Next"
8. Answer Okta's Feedback Question > Check "This is an internal app that we have created"
9. Navigate to General > Edit > Click SCIM > Save
10. A new Provisioning tab will appear, from here click Edit
11. Login to Security Journey > More > Admin > Settings > SCIM
12. Generate new SCIM Token and copy
13. Copy SCIM API URL
14. Go back to Okta and enter SCIM API URL and paste Auth Token as seen below:
15. You will need to test the connection by clicking the "Test Connector Configuration" at the bottom of the page. If it's successful, you will see this message:
16. Once saved, you should see these settings. Under To App, check the following settings: Create Users, Update User Attributes & Deactivate Users.
17. Finally, we recommend assigning a test user or small group of users to the application and verify synchronization via Okta logs:
Okta is generally near-instant when propagating updates. However, this is not guaranteed and may take up to an hour.
18. Once you've successfully tested, you can update the group assignment as needed.
Troubleshooting
Our application doesn't support capitalization within email addresses and they will be normalized to lower case. If this is a requirement within your IdP or Active Directory, you may need to adjust the emailAddress that you are sending to us as the primary user identifier.