All Products
Search

This Product

    Identity as a Service:Synchronize Okta users or groups by using SCIM

    Document Center

    Identity as a Service:Synchronize Okta users or groups by using SCIM

    Last Updated:Dec 08, 2025

    To reduce maintenance and management costs during cloud migration, organizations often synchronize accounts from internal systems to the cloud. You can use the System for Cross-domain Identity Management (SCIM) protocol, together with the OAuth application authorization of Alibaba Cloud IDaaS, to synchronize users or groups from Okta to Alibaba Cloud IDaaS. This process helps you achieve unified identity management.

    Scope

    • Permissions: Administrator permissions for Alibaba Cloud IDaaS and super administrator permissions for your Okta instance.

    • Environment: Your Okta instance must have SCIM 2.0 support enabled. An EIAM instance of Alibaba Cloud IDaaS must be created.

    Step 1: Configure SCIM synchronization in your IDaaS application

    1. Log on to the Alibaba Cloud IDaaS console. In the navigation pane on the left, click EIAM. In the instance list on the IDaaS tab, find the target instance and click Manage in the Actions column.

    2. On the IDaaS page, in the navigation pane on the left, choose Application Management > Applications Find the Standard Protocols or Custom Applications application and open its details page. To create a Standard Protocols or Custom Applications application, see Create an application.

    3. On the application details page, configure the settings. For more information, see Synchronize accounts between IDaaS and applications.

      Important

      Ensure that IDaaS API is enabled in the IDaaS application.image

    4. On the application details page, obtain the following information:

      • Bearer Token: Go to Provisioning > Synchronize Application to IDaaS. Next to Bearer Token, click View. Copy and save the displayed token.

      • SCIM Base URL: Go to Provisioning > Synchronize Application to IDaaS. Copy the URL from the SCIM Base URL field.

    5. In the navigation pane on the left, click Sign-In. On the page that appears, go to Password Policy > Complexity Rules and set a password policy as needed.

      Note

      To ensure successful password synchronization, the password policy in Okta must be stricter than or equal to the password policy in IDaaS. For example, if IDaaS requires a password of at least 8 characters including special characters, but Okta only requires 6 characters, passwords that do not meet the IDaaS requirements will fail to synchronize. Therefore, before you enable password synchronization, make sure the Okta password policy meets all IDaaS requirements.

    Step 2: Create an application in Okta

    Step 3: Configure SCIM integration in Okta

    Enable SCIM configuration

    Go to the details page of the Okta application. On the General tab, in the App Settings section, click Edit in the upper-right corner. Set Provisioning to SCIM (System for Cross-domain Identity Management). Then, click Save.image

    Configure the SCIM connection

    1. Configure the connection information.

      On the Provisioning tab, in the SCIM Connection section, click Edit and configure the following parameters.

      • SCIM connector base URL: Enter the SCIM Base URL that you obtained in Step 1.

      • For Unique identifier field for users, enter userName.

      • Supported provisioning actions: Select Push New Users, Push Profile Updates, and Push Groups to enable pushing new users, profile updates, and group information.

      • Set Authentication Mode to HTTP Header.

      • Authorization: Set the value to the Bearer Token that you obtained in Step 1.

    2. Test the connection.

      Click Test Connector Configuration. The message Connector Configured successfully indicates a successful connection.

    3. After the test succeeds, click Save.

    Configure the user synchronization policy

    1. Go to Provisioning > > To App. To the right of Provisioning to App, click Edit.

    2. Enable Create Users, Update User Attributes, and Deactivate Users.

    3. Configure the Sync Password setting.

      • If this option is disabled, Okta generates a random password for the user and synchronizes it to the target application.

      • If enabled, select a Password type.

        • Sync a randomly generated password: Okta generates a random password for the user and synchronizes it to the target application.

        • Sync Okta Password: Synchronizes the user's Okta account logon password to the target application. This allows the user to use the same password for both Okta and the target application.

    4. Confirm and set the Okta password policy.

      In the navigation pane on the left, go to Security > > Authenticators. Under Setup, find the row where Name is Password and click Actions > > Edit to set the password policy.

      Note

      To ensure successful password synchronization, the password policy in Okta must be stricter than or equal to the password policy in IDaaS. For example, if IDaaS requires a password of at least 8 characters including special characters, but Okta only requires 6 characters, passwords that do not meet the IDaaS requirements will fail to synchronize. Therefore, before you enable password synchronization, make sure the Okta password policy meets all IDaaS requirements.

    5. When you are finished, click Save.

    Configure user attribute mapping

    Attribute mapping allows Okta to push user data to IDaaS to automatically configure and update user information. In the Attribute Mappings section on the Provisioning page, perform the following steps.

    Synchronize basic attributes

    In the attribute mapping list, click the image icon on the far right to delete irrelevant attribute mappings. Keep only the attribute mappings shown in the following figure.0d7a604f2f42c85a03a17db8b869a3f9

    Synchronize other attributes (Optional)

    Note

    You can configure this setting as needed. The following example shows how to synchronize the postalAddress field of an Okta user to the User Address Extended Fields in IDaaS.

    1. Add an Extended Fields to IDaaS.

      1. In the IDaaS IDaaS, navigate to Account > Field Management > Extended Fields and click Create Field.

      2. Configure the field information.

        • Field Display Name: The name that appears on pages, such as the user information page, to facilitate viewing and management. For example: User Address.

        • Field ID: The unique system identifier for the field. For example: user_address.

        • Field Type: The type of input field, such as an input box.

      3. On the IDaaS application details page, navigate to Provisioning > Synchronize Application to IDaaS > Show Advanced Settings and set the following parameters.

        • Custom Field Namespace is urn:ietf:params:scim:schemas:extension:customfield:2.0:User.

        • Sync Target Field: Specify one or more target fields for synchronization, such as User Address (user_address).

      4. Click Save.

    2. Add an attribute mapping in Okta.

      1. On the Okta Profile Editor page, in the Attributes section, click Add Attribute.

      2. Set the attribute information.

        • Display name: The name of the attribute that is displayed in the Okta management interface. For example: User Address.

        • Variable name: The unique, immutable identifier used in the Okta system for API and expression references. This must be consistent with the Field ID in IDaaS. For example: user_address.

        • Data type: The data type of the attribute. This must match the data type of the corresponding field in IDaaS. For example: string.

        • External name: The name of the corresponding field in the external system. This must match the Field ID in IDaaS, for example, user_address.

        • External namespace: A unique identifier that specifies the schema or standard for the External name to prevent naming conflicts. The value must be consistent with the Custom Field Namespace set in the IDaaS application. Set the namespace to urn:ietf:params:scim:schemas:extension:customfield:2.0:User.

      3. Click Save.

      4. Set the attribute mapping.

        1. In the Attributes section, click Mappings. From the panel that opens, select Okta User To [Target Application Name].

        2. At the bottom of the list on the right, find the target attribute (for example, user_address). From the drop-down list on the left, select the Okta user information field (for example, user.postalAddress).

        3. Click Save Mappings, and then click Apply updates.

    Synchronize users and groups

    • Synchronize users.

      1. Go to the details page of the Okta application. On the Assignments tab, click Assign > > Assign to People.

      2. Find the user that you want to synchronize and click Assign in the corresponding row.

      3. On the Assign [Target Application Name] To People page, modify the attributes as needed. Then, click Save and Go Back and click Done.

    • Synchronize groups.

      1. Go to the Okta application details page, select the Push Groups tab, and then click Push Groups > > Find Groups By Name.

      2. Enter the group name, select the target group, and click Save. When the Push Status changes from Pushing to Active, the group is synchronized.

    Step 4: Verify the synchronization

    1. Log on to the Alibaba Cloud IDaaS console. Click Manage for the target instance to go to the IDaaS management console.

    2. In the left navigation pane, click Account > Accounts and Orgs. You can view the synchronized users in the Account list. Their Source is displayed as SCIM Import.

      Note

      If you have configured Extended Fields to sync from Okta to IDaaS, you can click a user's Username to go to the User Details page. You can view the fields in the Account Information > Extended Field section.

    3. In the navigation pane on the left, click Account > Group to view the synchronized groups in the Group list on the right. The Source for these groups is SCIM Import.

    FAQ

    What type of Okta application should be created for synchronization?

    When creating an application in Okta for synchronization with Alibaba Cloud IDaaS, you should select the SAML 2.0 integration application type. This type of application enables synchronization of users and groups through the System for Cross-domain Identity Management protocol.

    If the Okta password synchronization option is not selected, will passwords still be synchronized?

    In Okta, if the password synchronization option is not selected, actual user passwords will not be synchronized, but the user creation request will still include a placeholder password field. For more information, see Okta SCIM 2.0 User Creation and Password Synchronization Guide.

    1. Placeholder parameter, not the actual password If password synchronization is not enabled, when Okta creates users through the SCIM protocol, it sends a password field. However, this value is a randomly generated placeholder and not the user's actual password, with no security sensitivity.

    2. Independence of the password synchronization feature

      If password synchronization is enabled, administrators need to select the synchronization mode (synchronize Okta's real password or a random password). Okta will synchronize the user's password selection method to the target application to achieve unified authentication.

    3. Compatibility and protocol requirements

      Some implementations of the SCIM protocol (especially older systems) may require that the password field be included in the request, even if synchronization is not needed. Okta satisfies this format requirement through placeholders to avoid protocol errors.

    4. Impact on actual use

      1. User authentication: The password authentication process of the target application is not affected by this placeholder. Users need to set their actual password through other methods (such as manual reset, independent password policy).

      2. Security: The placeholder password has no practical significance and will not leak or match the user's real credentials, so no additional processing is required.

    What is the logic of Okta password synchronization? How are synchronization failures due to inconsistent password strength handled?

    When Okta synchronizes users to IDaaS through SCIM, the password synchronization logic is as follows:

    1. Password synchronization options: In the Provisioning configuration in Okta, there is an option called Password type with a choice of Sync Password. If this option is selected, when a user's password is updated in Okta, it will automatically synchronize to IDaaS. If not selected, passwords will not be synchronized.

    2. Password policy consistency requirements: To ensure successful password synchronization, the password policies of Okta and IDaaS must be consistent. For example, if Okta's password requirement is 8 or more characters including special characters, while IDaaS has a weaker password policy (such as 6 characters without special characters), synchronization may fail. Therefore, it is recommended to adjust both password policies to be consistent before configuration.

    3. Solution: Adjust the password policy. Configure IDaaS according to Okta's password policy, or adjust Okta based on IDaaS's policy.

    How to trigger Okta user synchronization?

    There are several ways to trigger user synchronization, including the following:

    1. Automatic synchronization: After configuration is complete, by default, Okta automatically triggers user synchronization when users are assigned to the application.

    2. Manual push: Administrators can manually trigger synchronization of users or groups through the Okta interface. For example, click the Push Groups tab, select a group, and click Save. The system will automatically start synchronization and change the status from Pushing to Active.

    3. Event-driven synchronization: When user attributes change (such as additions, modifications, deletions), Okta automatically triggers synchronization based on the configured Push Profile Updates option.

    Is it possible to delete synchronized Okta users or groups? What happens when authorization synchronization is canceled?

    For deleting of users or groups and canceling authorization synchronization:

    1. Deleting users or groups:

      1. If a user or group is deleted in Okta, this change will be synchronized to IDaaS according to the configuration. However, it should be noted that RAM users do not have an enable/disable status, so even if users are marked as "Inactive" in Okta, they will not be disabled or deleted in RAM.

      2. Note: IDaaS does not support direct synchronization of the "Inactive" status from Okta, so users synchronized to RAM remain unchanged.

    2. Canceling authorization synchronization:

      1. If application authorization for a user is canceled in Okta, that user will no longer be synchronized to IDaaS. In this case, the corresponding user record in IDaaS will not be deleted but will be marked as unauthorized.

      2. After cancellation of authorization, the user's related data (such as account information, group information, etc.) will remain in IDaaS, and administrators need to manually clean up this data.