Overview
If you use SAML single sign-on (SSO) with Okta, TerraTrue’s SCIM functionality allows you to centralize and automate your users’ lifecycles directly from your identity provider. TerraTrue’s SCIM implementation supports the provisioning, de-provisioning, activation, and suspension of users.
If you prefer to set up SAML SSO with Okta without SCIM provisioning, a TerraTrue admin in your organization should manually provision each user on TerraTrue with the same email address used on Okta.
For more information, see Okta’s detailed configuration guide, or contact us at support@terratrue.com.
Features
SCIM provisioning with Okta supports the following features:
- Push New Users: New users created through Okta will also be created in TerraTrue.
- Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to TerraTrue.
- Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Okta will deactivate and delete the user in TerraTrue. Users can also be suspended, leaving their data intact while disabling the user’s ability to sign in. For both deactivation and suspension, all existing login sessions for that user are terminated.
- Import Users: New users created in TerraTrue may be imported to Okta.
Prerequisites
Before you proceed further in configuring this method of provisioning, check that the following are all true and reach out to support@terratrue.com with any questions:
- You are using TerraTrue with Okta single sign-on. Provisioning may not work correctly when you are using password authentication or Google authentication for your TerraTrue instance.
- You hold administrator permissions on TerraTrue, which are required to configure the provisioning settings.
- You have the appropriate access to manage the TerraTrue application on Okta.
Configuration Steps
Step 1: Get the SCIM API Key from TerraTrue
In TerraTrue, navigate to Organization Settings > Authentication > SCIM or visit https://launch.terratrue.com/settings/auth/scim.
Next, enable the “SCIM Configuration” toggle and click “Copy API Key” to copy the SCIM API Key.
Step 2: Configure the TerraTrue application in Okta
Verify username format
Under the “Sign On” application tab in Okta, verify that the “Application username format” is set to “Email’ as shown below.
Enable provisioning
Under the Provisioning application tab in Okta, click on the “Configure API integration” button as seen below and then check the “Enable API integration” checkbox.
Save the API key in Okta
Paste the API key obtained from the TerraTrue org setting into the API Token field and uncheck the “Import Groups” checkbox. The Provisioning application tab in Okta would then look like the below. Click the 'Save' button and you are done.
Configure provisioning to App
Still under the Provisioning tab, click on “To App” on the “Settings” panel and check the three boxes entitled Create Users, Update User Attributes, and Deactivate Users. Your screen will then look like the below and you are done.
Troubleshooting and Tips
Reach out to support@terratrue.com for help ensuring that your provisioning is working correctly.
TerraTrue provides a revision history of all changes to a user's account visible to any TerraTrue administrator at the link below. All user changes made as a result of SCIM provisioning will be shown with the Actor column being “Scim System User.”
https://launch.terratrue.com/settings/history
Lastly, TerraTrue sets the user's display name based on the first name and last name received during the first user sync. Subsequent changes to the user's display name may be made by an administrator in the user org setting.