Skip to main content

How to configure SCIM 2.0 with Okta

Rhombus Support
  • Updated

In this article we will discuss how to setup SCIM user provisioning with Okta:

Note: The SSO setup needs to be completed prior to this SCIM setup. You can find that article here: Setting up SSO with Okta

 

Steps

1. Navigate to the 'Provisioning' tab at the top of the Rhombus Systems application you created in the Setting up SSO with Okta article by going to Applications -> Rhombus Systems -> Provisioning

mceclip1.png

 

2. Click on the 'Configure API Integration' button (circled in blue)

mceclip2.png

 

3. Check the checkbox labeled 'Enable API' (circled in blue) and the 'API Token' field will appear (rectangle in red)

mceclip4.png

 

4. Jump back into your Rhombus console and navigate to the SSO page by going to Settings -> Single Sign-On. Click on the SCIM section and in the dropdown click the 'Setup' (circled in blue)

mceclip5.png

 

5. Copy the Token (blocked out in blue on the top picture) and paste it in the Okta provisioning 'API Token' field, then hit 'Test API Credentials'. If successful hit 'Save' at the bottom (pictured below, bottom picture), if not reach out to Rhombus Support or Okta support

mceclip6.png

Rhombus SSO page

mceclip7.png

Okta provisioning page

 

6. Within the provisioning window of the Rhombus Systems app select 'To App' on the left side (pictured below)

mceclip8.png

 

7. Scroll down to the 'Rhombus Systems Attribute Mappings' section and toggle the button labeled 'Show Unmapped Attributes' (pictured below)

mceclip13.png

 

8. Next, modify the Attribute (circled blue) 'roles' (circled red) of 'Attribute Type' (circled green) 'Group' (circled purple) to the desired value or expression matching the Roles created in Rhombus Systems. To edit the value click the pencil icon on the right (circled in black)

mceclip14.png

For this example, my Role in the Rhombus System is set to 'Super Admin Group'. I add this role by selecting 'Same value for all users' from the 'Attribute value' field (below picture)

mceclip15.png

Then, click the 'Add Another' button and enter the desired role and hit the 'Save' button (picture below)

mceclip0.png

Now you should see the new role added in the mapping table:

mceclip1.png

 

9. Hit the 'Force Sync' button at the top of the mapping table

mceclip2.png

 

Requirements

  • The “roles” group attribute should be present unless Add Users on Role Mismatch is enabled on the Rhombus Console

 

Provisioning features

The Okta / Rhombus SCIM integration currently supports the following provisioning features:

  • Create Users: Users created in Okta will automatically get provisioned in Rhombus
  • Update User Attributes: Changes to user profile in Okta will be pushed to Rhombus
  • Deactivate Users: Users deactivated in Okta will get deleted from Rhombus
  • Reactivate Users: Users reactivated in Okta will get provisioned in Rhombus
  • Import users: Users in Rhombus can be imported in to Okta

 

User attributes

The following Okta user attributes will be synchronized to Rhombus:

  • First Name
  • Last Name
  • Roles

 

Troubleshooting

  • When users are deactivated in Okta they will get deleted from Rhombus for security measures. As Okta does not support delete requests, Rhombus will delete user accounts when Okta reports a user status update changing active=false.
  • Primary Email is only used for importing users from Rhombus and is not used for pushing user updates
  • Updating Usernames for Users is not supported by Rhombus
  • Even though Okta allows multiple Roles to be assigned to the user, Rhombus will only use a single role.  We will use the first matching role when new users are pushed.
  • Users with empty First/Last cannot be imported in to Okta as OKTA requires both these parameters to be present

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk