All Products
Search

This Product

    Identity as a Service:Sync Okta via SCIM

    Document Center

    Identity as a Service:Sync Okta via SCIM

    Last Updated:Mar 31, 2026

    Use the System for Cross-domain Identity Management (SCIM) protocol with Alibaba Cloud IDaaS OAuth application authorization to synchronize users and groups from Okta to Alibaba Cloud IDaaS. This keeps identity data in sync during cloud migration without manual account maintenance.

    Prerequisites

    Before you begin, ensure that you have:

    • Administrator permissions for Alibaba Cloud IDaaS and super administrator permissions for your Okta instance

    • An Okta instance with SCIM 2.0 support enabled

    • An existing EIAM (Employee Identity and Access Management) instance in Alibaba Cloud IDaaS

    How it works

    The sync flow runs in four stages:

    1. Configure an IDaaS application to expose a SCIM endpoint and generate a Bearer Token.

    2. Create or reuse an Okta application that supports SAML 2.0 single sign-on.

    3. Point Okta's SCIM connector at the IDaaS endpoint using the Bearer Token, then define which users and groups to push.

    4. Verify that accounts and groups appear in IDaaS with a source of SCIM Import.

    Step 1: Configure SCIM synchronization in your IDaaS application

    1. Log on to the Alibaba Cloud IDaaS console. In the left navigation pane, click EIAM. On the IDaaS tab, find the target instance and click Console in the Actions column.

    2. Navigate to Application Management > Applications and open the details page for a Standard Protocols or Custom Applications application. To create one, see Create an application.

    3. Configure the sync settings. For details, see Synchronize accounts between IDaaS and applications.

      Important

      Make sure IDaaS API is enabled in the application.image

    4. Collect the two values you will need in Step 3.

      ValueWhere to find it
      Bearer TokenProvisioning > Synchronize Application to IDaaS > next to Bearer Token, click View, then copy and save the token
      SCIM Base URLProvisioning > Synchronize Application to IDaaS > copy the value from the SCIM Base URL field

    5. In the left navigation pane, click Sign-In. Under Password Policy > Complexity Rules, set the IDaaS password policy.

    Step 2: Create an application in Okta

    If you already have an Okta application that supports SAML 2.0 single sign-on, skip to Step 3.

    To create a new one, follow Create an application that supports SAML SSO in Okta, then continue to Step 3.

    Step 3: Configure SCIM integration in Okta

    Enable SCIM

    On the Okta application details page, go to the General tab. In App Settings, click Edit, set Provisioning to SCIM, and click Save.

    image

    Configure the SCIM connection

    1. On the Provisioning tab, in the SCIM Connection section, click Edit and set the following parameters.

      ParameterValue
      SCIM connector base URLThe SCIM Base URL from Step 1
      Unique identifier field for usersuserName
      Supported provisioning actionsSelect Push New Users, Push Profile Updates, and Push Groups
      Authentication ModeHTTP Header
      AuthorizationThe Bearer Token from Step 1

    2. Click Test Connector Configuration. The message Connector Configured successfully confirms a working connection.

    3. Click Save.

    Configure the user sync policy

    1. Go to Provisioning > To App and click Edit next to Provisioning to App.

    2. Enable Create Users, Update User Attributes, and Deactivate Users.

    3. Configure Sync Password based on your requirements.

      Note

      For password sync to succeed, the Okta password policy must be at least as strict as the IDaaS password policy. For example, if IDaaS requires at least 8 characters including a special character but Okta only requires 6 characters, passwords that don't meet the IDaaS requirements will fail to sync. To set the Okta password policy, go to Security > Authenticators in the Okta Admin Console, find the Password row under Setup, and click Actions > Edit. To set the IDaaS password policy, go to Sign-In > Password Policy > Complexity Rules in the IDaaS console.

      SettingBehavior
      DisabledOkta includes a password field when creating the user via SCIM, but sends a randomly generated placeholder — not the user's actual password. This satisfies the SCIM protocol's field requirement but has no effect on login credentials in IDaaS. Users must set their actual password through a separate reset or password policy. For details, see the Okta SCIM 2.0 User Creation and Password Synchronization Guide.
      Enabled — Sync a randomly generated passwordOkta generates a random password for each user and syncs it to IDaaS.
      Enabled — Sync Okta PasswordSyncs the user's Okta login password to IDaaS, so the user logs in with the same password in both systems.

    4. Click Save.

    Configure user attribute mapping

    Attribute mapping controls which Okta user data gets pushed to IDaaS and how it maps to IDaaS fields.

    Synchronize basic attributes

    In the Attribute Mappings section on the Provisioning page, click the image icon on the far right to remove any attribute mappings you don't need. Keep only the mappings shown in the following figure.

    0d7a604f2f42c85a03a17db8b869a3f9

    Synchronize custom attributes (optional)

    The following example shows how to sync the postalAddress field from Okta to a custom Extended Fields entry in IDaaS named User Address.

    1. Add an extended field in IDaaS.

    1. In the IDaaS console, go to Account > Field Management > Extended Fields and click Create Field.

    2. Fill in the field details.

      FieldExample value
      Field Display NameUser Address
      Field IDuser_address
      Field TypeInput box

    3. On the IDaaS application details page, go to Provisioning > Synchronize Application to IDaaS > Show Advanced Settings and configure the following.

      SettingValue
      Custom Field Namespaceurn:ietf:params:scim:schemas:extension:customfield:2.0:User
      Sync Target FieldUser Address (user_address)

    4. Click Save.

    2. Add an attribute in Okta.

    1. On the Okta Profile Editor page, go to the Attributes section and click Add Attribute.

    2. Fill in the attribute details.

      FieldExample value
      Display nameUser Address
      Variable nameuser_address — must match the Field ID in IDaaS
      Data typestring — must match the IDaaS field type
      External nameuser_address — must match the Field ID in IDaaS
      External namespaceurn:ietf:params:scim:schemas:extension:customfield:2.0:User — must match the Custom Field Namespace in IDaaS

    3. Click Save.

    4. In the Attributes section, click Mappings. From the panel, select Okta User To [Target Application Name].

    5. At the bottom of the list on the right, find the target attribute (for example, user_address). From the drop-down list on the left, select the Okta field to map from (for example, user.postalAddress).

    6. Click Save Mappings, then click Apply updates.

    Synchronize users and groups

    Synchronize users

    1. On the Okta application details page, go to the Assignments tab and click Assign > Assign to People.

    2. Find the user to sync and click Assign in the corresponding row.

    3. On the Assign [Target Application Name] To People page, adjust attributes as needed, click Save and Go Back, then click Done.

    Synchronize groups

    1. On the Okta application details page, go to the Push Groups tab and click Push Groups > Find Groups By Name.

    2. Enter the group name, select the target group, and click Save. When the Push Status changes from Pushing to Active, the group is synced.

    Step 4: Verify the synchronization

    1. Log on to the Alibaba Cloud IDaaS console and click Console for the target instance.

    2. In the left navigation pane, go to Account > Accounts and Orgs. Synced users appear in the Account list with Source set to SCIM Import.

      Note

      If you configured custom Extended Fields, click a user's Username to open the User Details page and check the fields under Account Information > Extended Field.

    3. Go to Account > Group. Synced groups appear in the Group list with Source set to SCIM Import.

    FAQ

    What type of Okta application should I use for SCIM sync?

    Select SAML 2.0 when creating the Okta application. This type supports both SAML 2.0 single sign-on and user/group synchronization over SCIM.

    How do I trigger Okta user synchronization?

    There are three ways sync can happen:

    • Automatic: Sync starts when a user is assigned to the IDaaS application in Okta.

    • Manual push: Go to the Push Groups tab, select a group, and click Save. The sync starts immediately and the status changes from Pushing to Active.

    • Event-driven: When a user's profile changes — such as being added, modified, or deleted — Okta triggers sync automatically based on the Push Profile Updates setting.

    Can I delete synced users or groups? What happens if I remove a user's app authorization?

    Deleting users or groups in Okta:

    If you delete a user or group in Okta, the change syncs to IDaaS according to your configuration. Note that Resource Access Management (RAM) users don't have an enabled or disabled status, so users marked as inactive in Okta are not disabled or deleted in RAM. IDaaS does not support syncing the inactive status from Okta.

    Removing app authorization:

    If you remove a user's application authorization in Okta, sync stops for that user. The user record in IDaaS is not deleted — it is marked as unauthorized. An administrator must manually remove the user's data (account information, group memberships) from IDaaS.