SCIM provisioning with Okta

Overview

If you use SAML single sign-on (SSO) with Okta, TerraTrue’s SCIM functionality allows you to centralize and automate your users’ lifecycles directly from your identity provider. TerraTrue’s SCIM implementation supports the provisioning, de-provisioning, activation, and suspension of users.

If you prefer to set up SAML SSO with Okta without SCIM provisioning, a TerraTrue admin in your organization should manually provision each user on TerraTrue with the same email address used on Okta.

For more information, see Okta’s detailed configuration guide, or contact us at support@terratrue.com.

Features

SCIM provisioning with Okta supports the following features:

  • Push New Users: New users created through Okta will also be created in TerraTrue.

  • Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to TerraTrue.

  • Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Okta will deactivate and delete the user in TerraTrue. Users can also be suspended, leaving their data intact while disabling the user’s ability to sign in. For both deactivation and suspension, all existing login sessions for that user are terminated.

  • Import Users: New users created in TerraTrue may be imported to Okta.

Prerequisites

Before you proceed further in configuring this method of provisioning, check that the following are all true and reach out to support@terratrue.com with any questions:

  1. You are using TerraTrue with Okta single sign-on. Provisioning may not work correctly when you are using password authentication or Google authentication for your TerraTrue instance.
  2. You hold administrator permissions on TerraTrue, which are required to configure the provisioning settings.
  3. You have the appropriate access to manage the TerraTrue application on Okta.

Configuration Steps

Step 1: Get the SCIM API Key from TerraTrue

In TerraTrue, navigate to Organization Settings > Authentication > SCIM or visit https://launch.terratrue.com/settings/auth/scim.

Next, enable the “SCIM Configuration” toggle and click “Copy API Key” to copy the SCIM API Key.

SCIM Configuration toggle.

Step 2: Configure the TerraTrue application in Okta

Verify username format

Under the “Sign On” application tab in Okta, verify that the “Application username format” is set to “Email’ as shown below.

Find applications page with Terratrue shown.

Enable provisioning

Under the Provisioning application tab in Okta, click on the “Configure API integration” button as seen below and then check the “Enable API integration” checkbox.

Integrations page.

Save the API key in Okta

Paste the API key obtained from the TerraTrue org setting into the API Token field and uncheck the “Import Groups” checkbox. The Provisioning application tab in Okta would then look like the below. Click the 'Save' button and you are done.

Add Terratrue API token with Okta

Configure provisioning to App

Still under the Provisioning tab, click on “To App” on the “Settings” panel and check the three boxes entitled Create Users, Update User Attributes, and Deactivate Users. Your screen will then look like the below and you are done.

Provisioning Okta with TerraTrue

Troubleshooting and Tips

Reach out to support@terratrue.com for help ensuring that your provisioning is working correctly.

TerraTrue provides a revision history of all changes to a user's account visible to any TerraTrue administrator at the link below. All user changes made as a result of SCIM provisioning will be shown with the Actor column being “Scim System User.”

https://launch.terratrue.com/settings/history

Lastly, TerraTrue sets the user's display name based on the first name and last name received during the first user sync. Subsequent changes to the user's display name may be made by an administrator in the user org setting.