How to configure SCIM 2.0 with Okta

In this article we will discuss how to set up SCIM user provisioning with Okta:

• Steps
• Requirements
• Provisioning features
• Add a User
• User attributes
• Troubleshooting

Note: The SSO setup needs to be completed prior to this SCIM setup. You can find that article here: Setting up SSO with Okta. Currently, the feature of using "Add users on Role Mismatch" in the Rhombus console is not properly operating correctly.

Steps

1. Navigate to the 'Provisioning' tab at the top of the Rhombus Systems application you created in the Setting up SSO with Okta article by going to Applications -> Rhombus Systems -> Provisioning

2. Click on the 'Configure API Integration' button (circled in blue)

3. Check the checkbox labeled 'Enable API' (circled in blue) and the 'API Token' field will appear (rectangle in red)

4. Jump back into your Rhombus console and navigate to the SSO page by going to Settings -> Single Sign-On. Click on the SCIM section and in the dropdown click the 'Setup' (circled in blue)

5. Copy the Token (blocked out in blue on the top picture) and paste it in the Okta provisioning 'API Token' field, then hit 'Test API Credentials'. If successful hit 'Save' at the bottom (pictured below, bottom picture), if not reach out to Rhombus Support or Okta support

Rhombus SSO page

Okta provisioning page

6. Within the provisioning window of the Rhombus Systems app select 'To App' on the left side (pictured below) - Click the edit button and enable 'Create Users', 'Update User Attributes' and 'Deactivate Users', and click save. 

7. Hit the 'Force Sync' button at the top of the mapping table

8. Next view the top of the page and you should see the same as below. Now you have activated SCIM for Rhombus Systems. 

Add a User

1. To add a user go to the 'Assignments' section in Okta and go to 'Assign', then click 'Assign to People' and assign the correct individuals from the list.   

2. Next after adding the user click on the pencil icon to add the 'roles' to the individual user. Note: Only add roles that are currently in the Rhombus Console. To learn more about Rhombus Roles go to the guide here.

Requirements

• The “roles” group attribute should be present unless Add Users on Role Mismatch is enabled on the Rhombus Console. A reminder the 'Add Users on Role Mismatch' is currently not operating correctly.

Provisioning features

The Okta / Rhombus SCIM integration currently supports the following provisioning features:

• Create Users: Users created in Okta will automatically get provisioned in Rhombus
• Update User Attributes: Changes to user profile in Okta will be pushed to Rhombus
• Deactivate Users: Users deactivated in Okta will get deleted from Rhombus
• Reactivate Users: Users reactivated in Okta will get provisioned in Rhombus
• Import users: Users in Rhombus can be imported into Okta

User attributes

The following Okta user attributes will be synchronized to Rhombus:

• First Name
• Last Name
• Roles

Troubleshooting

• When users are deactivated in Okta they will get deleted from Rhombus for security measures. As Okta does not support delete requests, Rhombus will delete user accounts when Okta reports a user status update changing active=false.
• Primary Email is only used for importing users from Rhombus and is not used for pushing user updates
• Updating Usernames for Users is not supported by Rhombus
• Even though Okta allows multiple Roles to be assigned to the user, Rhombus will only use a single role.  We will use the first matching role when new users are pushed.
• Users with empty First/Last cannot be imported in to Okta as OKTA requires both these parameters to be present

If you have any further questions please reach out to our Rhombus Support at help@rhombus.com. If you would like to talk to a Rhombus Sales Representative please reach out to sales@rhombus.com.