This topic describes how to synchronize users or groups in Okta to CloudSSO by using System for Cross-domain Identity Management (SCIM).

Background information

Assume that an enterprise uses Okta as a local identity provider (IdP) that contains a large number of users and the enterprise has built a multi-account structure in a resource directory. The enterprise wants to configure settings to synchronize users or groups in Okta to CloudSSO. This way, the users of Okta can access specific resources within the specified member accounts in the resource directory by using the username-password or SSO logon method.

We recommend that you first configure SSO logon and use the CloudSSODemo application and SCIM to synchronize users or groups. For more information, see Configure SSO logon from Okta.

Step 1: Create SCIM credentials in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, click Generate SCIM Credential.
  4. In the SCIM Credential Generated dialog box, copy the generated SCIM credential and click Close.
  5. Optional:In the User Synchronization Configuration section of the Settings page, click Generate New SCIM Credential to create the second SCIM credential.

Step 2: Enable SCIM synchronization in the CloudSSO console

  1. Log on to the CloudSSO console.
  2. In the left-side navigation pane, click Settings.
  3. In the User Synchronization Configuration section of the Settings page, turn on SCIM Synchronization Disabled. After you turn on the switch, SCIM synchronization is enabled.

Step 3: Enable SCIM provisioning for an application in Okta

Note The following procedure describes how to enable SCIM provisioning for the CloudSSODemo application created in Configure SSO logon from Okta.
  1. Log on to the Okta portal.
  2. In the upper-right corner of the Okta portal, click the account name and select Your Org from the drop-down list.
  3. In the left-side navigation pane, choose Applications > Applications.
  4. On the Applications page, click CloudSSODemo.
  5. On the CloudSSODemo details page, click the General tab.
  6. In the App Settings section, click Edit.
  7. Select Enable SCIM provisioning and click Save.
    After the page is refreshed, you can configure SCIM synchronization on the Provisioning tab.

Step 4: Configure SCIM synchronization in Okta

  1. On the CloudSSODemo details page, click the Provisioning tab.
  2. In the SCIM Connection section, click Edit.
  3. Configure SCIM synchronization.
    1. In the SCIM connector base URL field, enter a URL. You can obtain the URL in the SCIM Endpoint section on the Settings page of the CloudSSO console.
    2. In the Unique identifier field for users field, enter userName.
    3. Select Import New Users and Profile Updates, Push New Users, Push Profile Updates, and Push Groups for Supported provisioning actions.
    4. Set Authentication Mode to HTTP Header.
    5. In the Authorization field, enter the required SCIM credential.
      You can obtain the SCIM credential on the Settings page of the CloudSSO console. For more information, see Manage SCIM credentials.
    6. Click Test Connector Configuration.
    7. In the Test Connector Configuration dialog box, view the test results and click Close.
    8. If the test succeeds, click Save. If the test fails, modify the configuration or contact Okta technical support until the test succeeds.
  4. In the Provisioning to App section of the To App page, click Edit.
  5. Select Enable for Create Users, Update User Attributes, and Deactivate Users. Then, click Save.
  6. In the CloudSSOdemo Attribute Mappings section of the To App page, configure attribute mappings.
    Retain only the attribute mappings shown in the following figure and delete all other attribute mappings. SCIM attribute mappings
  7. Optional:Click the Push Groups tab to synchronize groups.
    After you complete the preceding configurations, the users in Okta are automatically synchronized to CloudSSO. If you still want to synchronize the groups that have been assigned to the CloudSSODemo application, perform the following steps:
    1. In the Push Groups to CloudSSODemo section, click Push Groups and select the method to search for groups.
      The Find groups by name and Find groups by rule options are supported. In this example, select Find groups by name.
    2. Enter the name of a group.
    3. Click Save.
    4. Wait until the synchronization is complete. Then, view the synchronization results.
      If Push Status changes from Pushing to Active, the group is synchronized.
      Note If not all users in the group are synchronized to CloudSSO, you can select Push Now in the Push Status drop-down list to synchronize the users in the group again.

If an issue occurs during the synchronization, you can click View Logs to view the logs and address the issue.

Verify the synchronization results

  1. Log on to the CloudSSO console.
  2. On the User or Group page, view the synchronized users or groups.

    Source for these users or groups is automatically displayed as SCIM Synchronization.

    For more information, see View user information and View the basic information about a group.