SCIM provisioning with Okta

Overview

If you use SAML single sign-on (SSO) with Okta, TerraTrue’s SCIM functionality allows you to centralize and automate your users’ lifecycles directly from your identity provider. TerraTrue’s SCIM implementation supports the provisioning, de-provisioning, activation, and suspension of users.
If you prefer to set up SAML SSO with Okta without SCIM provisioning, a TerraTrue admin in your organization should manually provision each user on TerraTrue with the same email address used on Okta.

For more information, see Okta’s detailed configuration guide, or contact us at support@terratrue.com.

 

Features

The following provisioning features are supported:

  • Push New Users
    • New users created through Okta will also be created in TerraTrue.
  • Push Profile Updates
    • Updates made to the user's profile through Okta will be pushed to TerraTrue.
  • Push User Deactivation
    • Deactivating the user or disabling the user's access to the application through Okta will deactivate (delete) the user in TerraTrue. Users can also be suspended, leaving their data intact but the user unable to sign in. For both deactivation and suspension, all existing login sessions for that user are terminated.
  • Import Users
    • New users created in TerraTrue may be imported to Okta.

 

Prerequisites

Before you proceed further in configuring this method of provisioning, check that the following are all true and reach out to support@terratrue.com with any questions:

  1. You are using TerraTrue with Single-Sign-On on Okta. Provisioning may not work correctly when you are using password authentication or Google authentication for your TerraTrue instance.
  2. You are an administrator on TerraTrue in order to have the access to configure the provisioning settings.
  3. You have the appropriate access to manage the TerraTrue application on Okta.

 

Configuration Steps

  1. Get the SCIM API Key from TerraTrue
  1. Configure the TerraTrue application in Okta
  • Verify username format:
    • Under the “Sign On” application tab in Okta, verify that the “Application username format” is set to “Email’ as shown below.
  • Enable provisioning:
    • Under the Provisioning application tab in Okta, click on the “Configure API integration” button as seen below and then check the “Enable API integration” checkbox.
  • Save the API key in Okta:
    • Paste the API key obtained from the TerraTrue org setting into the API Token field and uncheck the “Import Groups” checkbox. The Provisioning application tab in Okta would then look like the below. Click the 'Save' button and you are done.

 

  • Configure provisioning to App
    • Still under the Provisioning tab, click on “To App” on the “Settings” panel and check the three boxes entitled Create Users, Update User Attributes, and Deactivate Users. Your screen will then look like the below. Click the 'Save' button and you are done.

 

Troubleshooting and Tips

Reach out to support@terratrue.com for help ensuring that your provisioning is working correctly.

TerraTrue provides a revision history of all changes to a user's account visible to any TerraTrue administrator at the link below. All user changes made as a result of SCIM provisioning will be shown with the Actor column being “Scim System User.”

Lastly, TerraTrue sets the user's display name based on the first name and last name received during the first user sync. Subsequent changes to the user's display name may be made by an administrator in the user org setting.

Was this article helpful?
0 out of 0 found this helpful