Configuring SCIM User Provisioning with Okta
Pharos Cloud supports automatically provisioning users and groups from Okta sing the System for Cross-domain Identity Management (SCIM) protocol. This document outlines the steps to configure Okta to synchronize users and groups to using SCIM.
Synchronization between Pharos Cloud and Okta supports the following:
- Create users or groups – Users and groups created in Okta are added Pharos Cloud.
- Update user attributes – Updates to user attributes in Okta are synced to Pharos Cloud.
Note: SCIM support is available only upon request.
Note: Once a connection with SCIM is established, we do not recommend using the import function to import users into Pharos Cloud. You can however use import to add cards for the users.
Note: SCIM with AOkta supports OpenID authentication type only.
Step 1: Generate SCIM Credentials in Pharos Cloud Web Console
In this step, you will generate SCIM credentials in the Pharos Cloud web console for use in Okta.
1. In the Pharos Cloud web console, navigate to the Secure > Advanced tab.
2. In the User and Group Sync, click Generate Token.
3. The SCIM Credentials dialog appears.
4. Download the Tenant URL and Token values. You will need these later when configuring the SCIM application in Okta.
Note: It is highly recommended to download a copy of the credentials using the Download button (instead of the Copy button). If you accidentally open a new tab, a new token will be generated and this may result in a mismatch.
Note: The Generate Token button changes to Regenerate Token if a token was already generated.
Note: The Token is valid for a year. If a token is about to expire or has expired, you will see an appropriate message in the Pharos Cloud web console. You will need to regenerate a token and update the token in Okta.
Step 2: Create a SCIM provisioning application in Okta
1. Go to Applications > Applications.
2. Select Browse App Catalog.
3. In the search field, search for SCIM.
4. Choose SCIM 2.0Test App (OAuth Bearer Token) and then click Add Integration.
5. Click the Provisioning tab, then click Configure API Integration. Select Enable API Integration checkbox.
6. In the SCIM 2.0 Base Url field, enter the Tenant URL obtained from the Pharos Cloud web console.
7. In the OAuth Bearer Token field, enter the Token generated from the Pharos Cloud web console.
Note: Use the Tenant URL and Token values obtained in Step 1 of this document. You can get them from the Secure > Advanced > User and Group Sync tab or Direct > Settings tab in the Pharos Cloud web console.
8. Save the changes to apply the settings.
9. In the Provisioning tab, select To App and then click Edit. Enable the following:
- Create Users
- Update User Attributes
- Deactivate Users
Note: The default attribute mappings work with Pharos Cloud SCIM so you do not need to update the mappings.
10. In the Assignments tab, add users or groups as appropriate.
11. Select the Push Groups tab. This will push existing groups in Okta and their memberships to Pharos Cloud.
12. Select the Find groups by name to locate groups by name.