Skip to main content
All CollectionsUser Management
Configure SCIM 2.0 with Okta
Configure SCIM 2.0 with Okta

How to integrate SCIM for Enterpret with the Okta identity provider.

Team Enterpret avatar
Written by Team Enterpret
Updated over 2 months ago

Overview

SCIM is an open API for securely sharing user information between online systems. In Enterpret, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Enterpret with the user's activation status and/or role. This article details how to integrate Enterpret and the Okta IdP with SCIM.

Create a SCIM 2.0 application in Okta

  1. From the Applications page in Okta, click Browse App Catalog. This takes you to the application directory.

  2. Search for SCIM 2.0 Test App (OAuth Bearer Token).

  3. Click Add to begin the setup.

Okta General Settings tab

Set the Application label with a descriptive name (such as "Enterpret SCIM"). You can leave other settings at their defaults, or change them depending upon your requirements. Click Next.

Leave Sign On Options as defaults and create the application by clicking on Done.

Configure SCIM Integration

Navigate to your SCIM 2.0 application in Okta. Click the Provisioning tab, then click Configure API Integration.

Check Enable API Integration and set the following parameters:

  • SCIM 2.0 Base Url: https://api.enterpret.com/scim/scim/v2

  • OAuth Bearer Token: Please reach out to your customer success representative to obtain your OAuth Bearer Token.

On the Provisioning tab, click the newly available To App setting panel. Then:

  1. Click Edit.

  2. Click the checkbox to enable the following:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

  3. Click Save.

When users are deactivated or reactivated in Okta and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Enterpret as well.

Import and Map User Assignments

You can import users and groups from Enterpret SCIM and map Enterpret users to their corresponding Okta User accounts. To do so, go to Import tab and select Import Now button. This will pull in the users and groups from Enterpret SCIM Server. You can now map users to their corresponding Okta User account by selecting the matches and confirming them.x

User Activation/Deactivation

User Activation

In order to activate user within Enterpret using SCIM, you can just assign the user to Enterpret SCIM application with Okta. Click the Assignments tab, and add users as required.

User Deactivation

You can deactivate from using Enterpret by one of the following ways based on the requirement:

  • Un-assign User from Enterpret SCIM Application

  • Suspend/Deactivate User from Okta

💡 Notes

  • Enabling SCIM 2.0 support does not disable user management options within Enterpret. This means a user may have an active status in the IdP, yet be deactivated in Enterpret through the Workspace Settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.

  • Since Okta SCIM doesn’t allow Pulling Group Members List to reflect User Group as per SCIM data, the integration will only support Updating User Group in Enterpret according to Okta User Group.

User Role Assignment

We recommend managing User Roles in Enterpret using SCIM through User Groups corresponding to the User Roles in Enterpret. The Group Members will be synced to Enterpret through SCIM and will be assigned corresponding User Role within Enterpret. To do so, create Groups with following names in your Okta Account:

  • Enterpret Admins

  • Enterpret Editors

  • Enterpret Members

  • Enterpret Viewers

💡 Notes

  • It's recommended that you keep the Group Names as suggested above for easier User Role Management. Keeping the names same as above will help Okta automatically suggest the SCIM Groups for linking.

  • In case you choose to have Group names different from above, you can link them manually to corresponding SCIM Group. Please disable Rename app groups to match group name in Okta option in Push Group Settings, since this will have no effect on the SCIM Groups.

Once you have created these Groups, head over to the SCIM Application to link them. Under Push Groups, select Push Groups and then Find groups by name.

Search for Enterpret Groups and select them.

Since we are finding groups by name, Okta will automatically find match for the corresponding SCIM group. Click on Save to create the link.

Repeat the same for all four Enterpret Groups.

Once you have linked the Enterpret Groups in SCIM Application, you can assign relevant users to these groups according to desired role.

To sync the users under the Enterpret Groups, you can click Push Now, under options of the Group.

💡 Notes

  • Since we cannot enforce one user - one role constraint in SCIM, adding a user in multiple Enterpret defined Groups will have non-deterministic effect on the user’s role in Enterpret (based on which push event we receive later).

  • Removing user from all Enterpret defined groups will have no effect on User Role in Enterpret, since this operation doesn’t convey any intended effect. The User Role in Enterpret will remain the same until the user is added to any Enterpret Defined User Groups again.

  • Okta doesn't always initiate a SCIM 2.0 user update based on group membership changes. If you add a user to a group, for example, Okta may not automatically push that change to Enterpret. After changing group memberships, have the SCIM 2.0 application in Okta perform a force sync. This is a known limitation of Okta.

Related Articles
Amplitude
Okta <> Enterpret: OIDC SSO
Using Single Sign-on (SSO)
User De-provisioning with Okta SSO
Okta <> Enterpret: SAML SSO
Did this answer your question?