User Provisioning with Okta (SCIM)

Note, you must be the Okta admin user and a Simpplr Application manager to complete these steps.

We'll need to access our Simpplr app first as the Application manager. 

1. In Simpplr, from your user profile image, click Manage > Application > Integrations > People Data.
2. Select Okta > Provisioning.
3. Click Save. After clicking Save, Simpplr provides you with a token. This token is only visible once. If the page is refreshed or exited, this token will not be displayed again. If a new token is required, uncheck the provisioning checkbox, select it again and click Save. This will create a new token and invalidate the old ones. Copy the token and paste it somewhere you have access to for later on. We'll need it in a later step in the Okta application.
   
   

Now we're ready to open Okta. You will need administrator access to complete the next steps.

1. In the left hand navigation, click Applications > Applications. Now either select an existing application (if Simpplr has already been added) or create one.
2. To create a new application:
   1. In the Applications page, click on Create App Integration.
      
       
   2. Select SAML 2.0 and click on Next.
   3. Enter the App name. This can be your intranet name, or "Simpplr". Call it anything you'd like, as long as you'll remember it. Then click Next.
      
       
   4. Now we need to enter some url information. Copy your Simpplr home page url and paste it into the Single sign-on URL box in Okta. Let's suppose the base url of your Simpplr environment is https://domainname.com. Add api. before the first part of the domain. Then add /v1/identity/accounts/login/saml after the last part. So the final result should look like this: https://api.domainname.com/v1/identity/accounts/login/saml. Copy and paste your updated url somewhere you have easy access to later on. We will need it in the setup of the application.
   5. Ensure that updated url is pasted in the Single sign on URL, Audience URI (SP EntityID), and Default RelayState boxes. Select EmailAddress in Name ID format dropdown, and Okta username in Application username.
      
       
   6. Scroll Down and click on Next.
   7. From the next page, select I'm an Okta customer adding an internal app and then Finish.
      
      
3. In the General tab, click Edit in App Settings section.
4. Where you see Provisioning, check the circle for SCIM, or Enable SCIM provisioning.
    
5. Click Save.
6. The page will reload and then you will see a Provisioning tab at the top navigation bar. Click the Provisioning tab.
    
7. In SCIM Connection, click Edit.
8. In SCIM connector base URL, enter the url you created url above.
9. In Unique identifier field for users, enter email.
10. In Supported provisioning actions, select all appropriate options (the preferred selections are: Import New Users and Profile Updates, Push New Users, Push Profile Updates).
11. In Authentication Mode, Select HTTP header from the dropdown.
12. In Authorization, paste the token you got from Simpplr when setting up the Okta application for provisioning.
    
     
13. Click on Test Connector Configuration. On successful connection, you will get this message. Click on Close, then Save.
    
     
14. Now again in the Provisioning tab, in the To App section, click on Edit.
15. In Provisioning to App section, enable the required options. The preferred options to enable are:
    • Create Users
    • Update User Attributes
    • Deactivate Users
      
       
16. Scroll down and click Save.
17. Now click on Applications in the Applications section in the left sidebar.
18. Select your application. Go to the Provisioning tab, and in the To Okta section, scroll down and click Go To Profile Editor.
    
     
19. Here we will map the previously created role field to the application. To do this, click Add Attribute.
    
     
20. Fill the form with the following values and click Save:
    • Data type: String
    • Display name: Role
    • Visible name: role
    • External name : roles.^[primary==true].value
    • External namespace : urn:ietf:params:scim:schemas:core:2.0:User
    • Description: Simpplr application user roles (Preferred)
    • Select the checkbox for Define enumerated list of values in the Enum section.
    • In Attribute members, enter the following:
      • Display name: End User, Value: End User
      • Display name: Application Manager, Value: Application Manager
    • Attribute Required: Yes
      
       
21. C

Now we need to add a mobile number field in Okta. Once again, click on Add attribute.

1. Fill the form with the following:
   • Data type: String
   • Display name: mobile
   • visible name: mobile
   • External name: phoneNumbers.^[type==mobile].value
   • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
   • Description: Mobile number of the user (Preferred)
2. Click on Save.
3. Click on Mappings.
4. Go to the second tab, i.e. Okta user to <your application name>.
5. Find mobile in right column and select user.mobilePhone in the left column.
   
    
6. Click Save mappings and Apply update now.

To assign or to provision using SCIM, from the Okta home page, go to Applications > Applications in the left sidebar.

1. Click on Assignments.
   
    
2. Click the Assign button.
3. Select Assign to People.
4. Select the person and click Assign, then Save. Then head back and click Done.
   
    
5. Refresh the page. If there is no red symbol on the user you have assigned, it means the provisioning is successful.
6. You can click on View logs in the application home page to see the failure log if the assignment fails.
   
    

To disconnect Okta SCIM, follow these steps:

1. 1. Go to Simpplr as the Application manager. Click on Manage > Applications > Integrations > People Data.
   2. Uncheck the Provisioning box in Okta.
   3. Click Save.
      
   4. Head back to Okta as the Okta admin user.
   5. Go to Applications > Applications from the left sidebar and then click the General tab.
   6. In the App Settings section, click Edit.
   7. Uncheck the Enable SCIM Provisioning box in the Provisioning section.
   8. Click on Save, then click Remove provisioning.