Integrate Okta SAML SCIM with Immuta

Requirements

  • An Immuta instance with version 2020.4 or higher is required to use Immuta's SCIM 2.0 feature.

  • Users have to be an administrator in Okta to edit or add applications.

Supported Features

The following Okta provisioning features are supported by Immuta:

  • Import Users from Okta: Okta users who had previously been assigned to an Okta application can be imported to your Immuta instance.

  • Push Users to Immuta: Okta users who are assigned to the Immuta application in Okta are automatically added as members to your Immuta instance.

  • Deactivate Users in Immuta: Okta users who are unassigned from the Immuta application in Okta or are deleted or deactivated from Okta are automatically deactivated in your Immuta instance.

  • Push Groups to Immuta: Groups and their members in Okta can be pushed to your Immuta instance.

  • Remove Groups from Immuta: Groups in Okta are removed from your Immuta instance when they are no longer mapped to your Immuta application in Okta.

  • Map User Attributes from Okta to Immuta: You can map user attributes between Okta and your Immuta instance. The mapping will remain synced by detecting profile changes in Okta.

Configuration Instructions

1 - Add SAML Application in Okta

  1. Log in to your Okta instance and click Applications in the menu in the left pane.

  2. Click Browse App Catalog, and then search for and select Immuta.

  3. Click Add.

  4. In General Settings, opt to change the Application label. Then, click Next.

  5. Click View Setup Instructions and complete the tutorial to configure the IAM in Immuta. Note: You will complete all steps outlined for the Immuta App Settings page except Test User Login. You cannot test the login or save the IAM configuration in Immuta until you have added yourself as a user to the application in Okta. These steps are outlined in the next section.

  6. In the Okta console under Advanced Sign-on Settings, fill in the following fields.

    • Base URL (typically your Immuta instance URL)

    • IAM ID (found on the Immuta App Settings page)

  7. Click Done.

2 - Add a User to the Application

  1. Click the Assignments tab.

  2. Click Assign and then Assign to People.

  3. Enter your name in the search field to filter results, and then click Assign.

  4. Click Save and Go Back, and then click Done.

  5. Return to the Immuta console and click Test User Login. Once this test passes, click Save.

3 - Configure Immuta to Use SCIM External IAM

  1. Navigate to the App Settings page in Immuta, and click the Add IAM button.

  2. Complete the Display Name field and select SAML as your IAM type from the Identity Provider Type dropdown.

  3. Adjust Default Permissions granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the Client Options section.

  4. Enable SCIM support for SAML by clicking the checkbox, which will generate a SCIM API Key.

  5. In the Profile Schema section, map attributes in SAML to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

  6. Enable Sync groups from SAML to Immuta and Sync attributes from SAML to Immuta by selecting the checkboxes, and then click the Test Connection button.

  7. Once the connection is successful, click the Test User Login button.

  8. Before you save the configuration, store the SCIM information that displays on the Immuta App Settings page, as it will be used in subsequent steps.

4 - Update Existing Okta Application to Enable SCIM

  1. In Okta, navigate to your application and click the Provisioning tab.

  2. Click Configure API Integration and then select the Enable API integration checkbox.

  3. Fill in the following fields:

    • Base URL (found on the Immuta App Settings page as SCIM URL)

    • API Token (found on the Immuta App Settings page as SCIM Api Key)

  4. Click Test API Credentials.

  5. Once that test passes, click Save.

  6. You will automatically navigate to the Provisioning tab. To make sure everything syncs as expected, select To App in the Settings pane, click Edit, and enable the following fields:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  7. Click Save.

Syncing Current Users in Okta

Once SCIM is enabled in Okta, it only works for changes in Okta going forward. To get your current users to sync, navigate to the Assignment tab and click Provision User in Okta. Existing users (or any new users you add/remove) should now display in Immuta under this external IAM.

Known Issues and Limitations

  • Using the same group to assign users to Okta (groups added to the Okta Assignments tab) and to push groups and users to Immuta (groups added to the Okta Push Groups tab) is not supported. See the Okta troubleshooting guide for details.

  • The Okta directory cannot be synced with Immuta's internal IAM (BIM). You must configure an external IAM in Immuta to push users and groups from Okta to Immuta.

  • You should create a new Immuta IAM and a new Okta application for Immuta to set up the provisioning. An existing setup can cause discrepancies between the Okta directory and the app, leading to syncing failures.

  • When making a GET request for a user, there are extra attributes in the response.

Additional Tutorials

Add Users in Okta SCIM

  1. Navigate to your application in Okta and click the Assignments tab.

  2. Click Assign and then Assign to People.

  3. Enter the name of the user you would like to add in the search field and click Assign.

  4. Click Save and Go Back, and then click Done.

The user has been added to your application in Okta and displays as a user in Immuta under this external IAM.

Remove Users from Okta SCIM

  1. Click the delete icon next to the user you want to remove.

  2. When prompted to make sure you want to delete this user, click OK.

This user is removed from your application in Okta and displays as disabled in Immuta under this external IAM.

Copyright © 2014-2024 Immuta Inc. All rights reserved.