Skip to content

Integrate Okta SAML SCIM with Immuta

Audience: System Administrators and Okta Admins

Content Summary: This page details how to integrate Okta SAML SCIM with Immuta

Additional Tutorials Contents:

  • Manage Users in Okta SCIM
  • Manage Groups with Okta SCIM
  • Manage Attributes with Okta SCIM
  • Sync External Usernames with Okta SCIM in Immuta

Requirements

  • An Immuta instance with version 2020.4 or higher is required to use Immuta's SCIM 2.0 feature.
  • Users have to be an administrator in Okta to edit or add applications.

Supported Features

The following Okta provisioning features are supported by Immuta:

  • Push Users to Immuta: Okta users who are assigned to the Immuta application in Okta are automatically added as members to your Immuta instance.
  • Deactivate Users in Immuta: Okta users who are unassigned from the Immuta application in Okta or are deleted or deactivated from Okta are automatically deactivated in your Immuta instance.
  • Push Groups to Immuta: Groups and their members in Okta can be pushed to your Immuta instance.
  • Remove Groups from Immuta: Groups in Okta are removed from your Immuta instance when they are no longer mapped to your Immuta application in Okta.
  • Map User Attributes from Okta to Immuta: You can map user attributes between Okta and your Immuta instance. The mapping will remain synced by detecting profile changes in Okta.

Configuration Instructions

1 - Add SAML Application in Okta

  1. Log in to your Okta instance and click the Applications tab.

  2. Click Add Application. The page will display the Create SAML Integration workflow.

  3. Under 1: General Settings, fill in the App Name field, and then click Next. (Other fields in this section are not required).

  4. Under A: SAML Settings, fill in the following fields. Anything not specified can be left empty or with default values:

    • Single sign on URL: This typically looks like {your_immuta_instance_url}/bim/iam/{your_IAM_id}/user/authenticate/callback

    • Audience URI (SP Entity ID): This is typically your Immuta instance url.

    • Name ID Format: EmailAddress

    • Group Attribute Statements:

      • Name: groups
      • Name format: unspecified
      • Filter: Matches regex
      • Value: .*
  5. Click Next in the B: Preview the SAML assertion generated from the information above section.

  6. Under 3: Help Okta Support understand how you configured this application, fill in the following fields and click Finish:

    • Are you a customer or partner?: Select the I’m a software vendor, I’d like to integrate my app to Okta.

2 - Add a User to the Application

  1. Click the Assignments tab.

  2. Click Assign and then Assign to People.

  3. Enter your name in the search field to filter results, and then click Assign.

  4. Click Save and Go Back, and then click Done.

  5. To configure Immuta in the next section, you will need details in the Setup Instructions section. Click the Setup Instructions button under Settings. Leave this tab open for user in later steps.

3 - Configure Immuta to Use SCIM External IAM

  1. Navigate to the App Settings page in Immuta, and click the Add IAM button.
  2. Complete the Display Name field and select SAML as your IAM type from the Identity Provider Type dropdown.

    Config IAM

  3. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Client Options section.

  4. Enable SCIM support for SAML by clicking the checkbox, which will generate a SCIM API Key.
  5. In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.
  6. Enable Sync groups from SAML to Immuta and Sync attributes from SAML to Immuta by selecting the checkboxes, and then click the Test Connection button.
  7. Once the connection is successful, click the Test User Login button.
  8. Before you save the configuration, store the SCIM information that displays on the Immuta App Settings page, as it will be used in subsequent steps.

    SCIM API Key

4 - Update Existing Okta Application to Enable SCIM

  1. In Okta, navigate to your application and click the General tab.

  2. Click Edit under the App Settings section.

  3. Select the SCIM option and then click Save.

  4. Navigate to the Provisioning tab and click Edit.

  5. Fill in the following fields:

    • SCIM connector base URL:
    • Unique identifier field for users: email
    • Supported provisioning actions: enable Import New Users and Profile Updates, Push New Users, Push Profile Updates, and Push Groups.
    • Authentication Method: HTTP Header
    • Bearer Token:
  6. Click Test Connector Configuration.

  7. Once that test passes, click Save.

  8. You will automatically navigate to the Provisioning tab. To make sure everything syncs as expected, click Edit and enable the following fields:

    • Create Users
    • Update User Attributes
    • Deactivate Users
  9. Click Save.

Syncing Current Users in Okta

Once SCIM is enabled in Okta, it only works for changes in Okta going forward. To get your current users to sync, navigate to the Assignment tab and click Provision User in Okta. Existing users (or any new users you add/remove) should now display in Immuta under this external IAM.

Known Issues and Limitations

  • The Okta directory cannot be synced with Immuta's internal IAM (BIM). You must configure an external IAM in Immuta to push users and groups from Okta to Immuta.
  • You should create a new Immuta IAM and a new Okta application for Immuta to set up the provisioning. An existing setup can cause discrepancies between the Okta directory and the app, leading to syncing failures.

Additional Tutorials

Add Users in Okta SCIM

  1. Navigate to your application in Okta and click the Assignments tab.

  2. Click Assign and then Assign to People.

  3. Enter the name of the user you would like to add in the search field and click Assign.

  4. Click Save and Go Back, and then click Done.

The user has been added to your application in Okta and displays as a user in Immuta under this external IAM.

Remove Users from Okta SCIM

  1. Click the delete icon next to the user you want to remove.

  2. When prompted to make sure you want to delete this user, click OK.

This user is removed from your application in Okta and displays as disabled in Immuta under this external IAM.

Syncing Groups with Okta SCIM

Groups will automatically sync in Immuta for any users added to the SCIM application if

  • Push Groups in Okta is enabled
  • Sync Groups is enabled in Immuta

Add Users to Groups

  1. In Okta, navigate to your application and click on the Assignments tab.

  2. Click on the name of the user whose groups you want to update.

  3. Click on the Groups tab.

  4. To add a new group, start to type the name of an existing group in the search field, and when it displays, click Add.

This group has been added to the user in Okta. It will also automatically appear in Immuta for the same user.

Remove Users from Groups

  1. In Okta, navigate to your application and click the Assignments tab.

  2. Click the name of the user whose groups you want to update, and then navigate to the Groups tab.

  3. Click the delete icon next to the group you want to remove for this user.

This group has been removed from the user in Okta, and it will automatically be removed from this user in Immuta.

Add Attributes to Users

  1. In Okta, navigate to your application and click To App on the Provisioning tab.

  2. Click the Go to Profile Editor button.

  3. Click Add Attribute and fill in the following fields:

    • Data type (defaults to string).

    • Display name.

    • Variable name.

    • External namespace. This field has to be formatted using a special schema format (e.g., urn:ietf:params:scim:schemas:extension:enterprise:2.0:DEMOEXT). Copy this information; you will need it for Immuta configuration.

  4. Click Save.

By default, the value for this attribute is empty. Follow the Adding Attribute Values section to add values.

Update the SCIM Attribute Schema in Immuta

  1. In Immuta, navigate to the App Settings page and edit your SCIM configuration.

  2. Scroll to the Attribute Schema section under Sync Attributes.

  3. Click Add Attribute and complete the following fields:

    • SCIM Schema:

    • IAM Immuta Attribute Prefix: this can be anything you want

  4. Click Test Connection and then Test User.

  5. Save your changes.

Add Attribute Values

After adding attributes to users and updating the SCIM Attribute Schema in Immuta,

  1. In Okta, navigate to the Assignments tab for your application and click the edit icon next to the user you want to update attributes for.
  2. Scroll to the attribute you created and add a value in the textbox.
  3. Save your changes.

Now that this attribute has been added to the user in Okta, it will automatically appear in Immuta for the same user.

Sync External Usernames with Okta SCIM in Immuta

Syncing External Usernames

You must configure a SCIM application and enable sync attributes before syncing external usernames.

  1. In Immuta, navigate to your Okta SCIM configuration on the App Settings page.

  2. Under Sync attributes from SAML to Immuta, add an attribute for the field you would like to map to an external username.

    Sync SAML Attributes

  3. Copy and paste the resulting attribute for the desired external username.

    Map SAML Attributes

  4. Click Test Connection and then Test User.

  5. Save your changes.