In this article we will discuss how to set up SCIM user provisioning with Okta:
- Steps
- Add a User
- Requirements
- Provisioning Features
- User Attributes
- Creating a Group
- Troubleshooting
- Helpful Links
- Contact Support or Sales
Notes:
- Provisioning may not be possible unless you've purchased it with/on your Okta plan.
- The Single Sign-On setup needs to be completed prior to this SCIM setup. You can find that article here: Setting up SSO with Okta. Currently, the feature of using "Add users on Role Mismatch" in the Rhombus console is not operating correctly.
Steps
1. Navigate to the 'Provisioning' tab at the top of the Rhombus Systems application you created in the Setting up SSO with Okta article by going to Applications -> Rhombus Systems -> Provisioning.
2. Click on the 'Configure API Integration' button (circled in blue).
3. Check the checkbox labeled 'Enable API' (circled in blue) and the 'API Token' field will appear (rectangle in red).
4. Jump back into your Rhombus console and navigate to the SSO page by going to Settings -> Single Sign-On. Click on the SCIM section and in the dropdown click the 'Setup' (circled in blue).
5. Copy the Token (blocked out in blue on the top picture) and paste it in the Okta provisioning 'API Token' field, then hit 'Test API Credentials'. If successful hit 'Save' at the bottom (pictured below, bottom picture), if not reach out to Rhombus Support or Okta support.
Rhombus SSO page
Okta provisioning page
6. Within the provisioning window of the Rhombus Systems app select 'To App' on the left side (pictured below) - Click the edit button and enable 'Create Users', 'Update User Attributes' and 'Deactivate Users', and click save.
7. Hit the 'Force Sync' button at the top of the mapping table.
8. Next view the top of the page and you should see the same as below. Now you have activated SCIM for Rhombus Systems.
Add a User
1. To add a user go to the 'Assignments' section in Okta and go to 'Assign', then click 'Assign to People' and assign the correct individuals from the list.
2. Next after adding the user click on the pencil icon to add the 'roles' to the individual user. Note: Only add roles that are currently in the Rhombus Console. To learn more about Rhombus Roles go to the guide here.
Requirements
The “roles” group attribute should be present unless Add Users on Role Mismatch is enabled on the Rhombus Console. As a reminder, the 'Add Users on Role Mismatch' is currently not operating correctly.
Provisioning Features
The Okta / Rhombus SCIM integration currently supports the following provisioning features:
- Create Users: Users created in Okta will automatically get provisioned in Rhombus.
- Update User Attributes: Changes to the user profile in Okta will be pushed to Rhombus.
- Deactivate Users: Users deactivated in Okta will get deleted from Rhombus.
- Reactivate Users: Users reactivated in Okta will get provisioned in Rhombus.
- Import users: Users in Rhombus can be imported into Okta.
User Attributes
The following Okta user attributes will be synchronized to Rhombus:
- First Name
- Last Name
- Roles
Creating a Group
1. With Okta, we can also create group-based provisioning based on roles created within the Rhombus Console. First, if you don't have groups, go ahead and create a group by clicking "Add Group."
2. Once that group is created, you can go ahead and select that group. We will now want to assign the Rhombus Systems application. Select "Applications" and assign the Rhombus Systems application as seen below.
3. Now that the Rhombus Systems application has been assigned to this group, we will want to hit the pencil icon to edit this group's role.
4. This role will need to match the role this group's users should have within the Rhombus console. The role will not be assigned if there is a typo or missing character. Users can currently only have one role within the Rhombus Console. Once this is done, you can go ahead and click save.
5. Now that we have created a group and assigned a role. We can assign people to this group within Okta. Inside that group, select "People" -> "Assign People" -> "+"; that user is now assigned to this group.
6. If you wish to automatically assign the same role to groups whenever they are created or assigned to the Rhombus application, we are able to do that as well. Inside the Rhombus app, select "Provisioning" -> "To App", scroll to the bottom, and you will see the "roles" mapping field. Edit by clicking the pencil icon and type in the role you wish new groups created default to. If left blank, no role will be assigned until one is assigned (see step 4).
Troubleshooting
- When users are deactivated in Okta they will get deleted from Rhombus for security measures. As Okta does not support delete requests, Rhombus will delete user accounts when Okta reports a user status update changing active=false.
- Primary Email is only used for importing users from Rhombus and is not used for pushing user updates.
- Updating Usernames for Users is not supported by Rhombus.
- Even though Okta allows multiple Roles to be assigned to the user, Rhombus will only use a single role. We will use the first matching role when new users are pushed.
- Users with empty First/Last cannot be imported into Okta as OKTA requires both these parameters to be present.
Helpful Links
Contact Support or Sales
Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.
Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.
Comments
0 comments
Please sign in to leave a comment.