Skip to main content

How to configure SCIM 2.0 with Okta

Rhombus Support
Updated

In this article we will discuss how to set up SCIM user provisioning with Okta:

Notes:

  • Provisioning may not possible unless you've purchased it with/on your Okta plan
  • The SSO setup needs to be completed prior to this SCIM setup. You can find that article here: Setting up SSO with Okta. Currently, the feature of using "Add users on Role Mismatch" in the Rhombus console is not properly operating correctly.

Steps

1. Navigate to the 'Provisioning' tab at the top of the Rhombus Systems application you created in the Setting up SSO with Okta article by going to Applications -> Rhombus Systems -> Provisioning

mceclip1.png

 

2. Click on the 'Configure API Integration' button (circled in blue)

mceclip2.png

3. Check the checkbox labeled 'Enable API' (circled in blue) and the 'API Token' field will appear (rectangle in red)

mceclip4.png

 

4. Jump back into your Rhombus console and navigate to the SSO page by going to Settings -> Single Sign-On. Click on the SCIM section and in the dropdown click the 'Setup' (circled in blue)

mceclip5.png

 

5. Copy the Token (blocked out in blue on the top picture) and paste it in the Okta provisioning 'API Token' field, then hit 'Test API Credentials'. If successful hit 'Save' at the bottom (pictured below, bottom picture), if not reach out to Rhombus Support or Okta support

mceclip6.png

Rhombus SSO page

mceclip7.png

Okta provisioning page

 

6. Within the provisioning window of the Rhombus Systems app select 'To App' on the left side (pictured below) - Click the edit button and enable 'Create Users', 'Update User Attributes' and 'Deactivate Users', and click save. 

Snip20220812_151.png

 

7. Hit the 'Force Sync' button at the top of the mapping table

mceclip2.png

 

 

8. Next view the top of the page and you should see the same as below. Now you have activated SCIM for Rhombus Systems. 

Snip20220812_152.png

Add a User

1. To add a user go to the 'Assignments' section in Okta and go to 'Assign', then click 'Assign to People' and assign the correct individuals from the list.   

Snip20220817_159.png

2. Next after adding the user click on the pencil icon to add the 'roles' to the individual user. Note: Only add roles that are currently in the Rhombus Console. To learn more about Rhombus Roles go to the guide here.

Snip20220812_153.png

 

Requirements

  • The “roles” group attribute should be present unless Add Users on Role Mismatch is enabled on the Rhombus Console. A reminder the 'Add Users on Role Mismatch' is currently not operating correctly.

Provisioning features

The Okta / Rhombus SCIM integration currently supports the following provisioning features:

  • Create Users: Users created in Okta will automatically get provisioned in Rhombus
  • Update User Attributes: Changes to user profile in Okta will be pushed to Rhombus
  • Deactivate Users: Users deactivated in Okta will get deleted from Rhombus
  • Reactivate Users: Users reactivated in Okta will get provisioned in Rhombus
  • Import users: Users in Rhombus can be imported into Okta

User attributes

The following Okta user attributes will be synchronized to Rhombus:

  • First Name
  • Last Name
  • Roles

Creating a Group

1. With Okta, we can also create group-based provisioning based on roles created within the Rhombus Console. First, if you don't have groups, go ahead and create a group by clicking "Add Group 

 

Create

 

2. Once that group is created, you can go ahead and select that group. We will now want to assign the Rhombus Systems applicant. Select "Applications" and assign the Rhombus Systems application as seen below. 

 

assign

 

3. Now that the Rhombus Systems application has been assigned to this group, we will want to hit the pencil icon to edit this group's role. 

 

Screenshot

 

4. We will want this role to match the role we wish this group's users to have within the Rhombus console. The role will not be assigned if there is a typo or missing character. Users can currently only have one role within the Rhombus Console. You can go ahead and click save. 

 

assign

5. Now that we have created a group and assigned a role. We can assign people to this group within Okta. Inside that group, select "People" -> "Assign People" -> "+"; that user is now assigned to this group. 

assign

 

6. If you wish to automatically assign the same role to groups whenever they are created or assigned to the Rhombus application, we are able to do that as well. Inside the Rhombus app, select "Provisioning" -> "To App", scroll to the bottom, and you will see the "roles" mapping field. Edit by clicking the pencil icon and type in the role you wish new groups created default to. If left blank, no role will be assigned until one is assigned (see step 4). 

standard

Troubleshooting

  • When users are deactivated in Okta they will get deleted from Rhombus for security measures. As Okta does not support delete requests, Rhombus will delete user accounts when Okta reports a user status update changing active=false.
  • Primary Email is only used for importing users from Rhombus and is not used for pushing user updates
  • Updating Usernames for Users is not supported by Rhombus
  • Even though Okta allows multiple Roles to be assigned to the user, Rhombus will only use a single role.  We will use the first matching role when new users are pushed.
  • Users with empty First/Last cannot be imported in to Okta as OKTA requires both these parameters to be present

Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.

Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk