# Integrate Okta SAML SCIM with Immuta ## Requirements * An Immuta tenant with version 2020.4 or higher is required to use Immuta's SCIM 2.0 feature. * Users have to be an administrator in Okta to edit or add applications. ## Supported Features The following Okta provisioning features are supported by Immuta: * **Import Users from Okta**: Okta users who had previously been assigned to an Okta application can be imported to your Immuta tenant. * **Push Users to Immuta**: Okta users who are assigned to the Immuta application in Okta are automatically added as members to your Immuta tenant. * **Deactivate Users in Immuta**: Okta users who are unassigned from the Immuta application in Okta or are deleted or deactivated from Okta are automatically deactivated in your Immuta tenant. * **Push Groups to Immuta**: Groups and their members in Okta can be pushed to your Immuta tenant. * **Remove Groups from Immuta**: Groups in Okta are removed from your Immuta tenant when they are no longer mapped to your Immuta application in Okta. * **Map User Attributes from Okta to Immuta**: You can map user attributes between Okta and your Immuta tenant. The mapping will remain synced by detecting profile changes in Okta. ## Configuration Instructions ### 1 - Add SAML Application in Okta 1. Log in to your Okta instance and click **Applications** in the menu in the left pane. 2. Click **Browse App Catalog**, and then search for and select **Immuta**. 3. Click **Add**. 4. In **General Settings**, opt to change the Application label. Then, click **Next**. 5. Click **View Setup Instructions** and complete the tutorial to configure the IAM in Immuta. *Note: You will complete all steps outlined for the Immuta App Settings page except **Test User Login**. You cannot test the login or save the IAM configuration in Immuta until you have added yourself as a user to the application in Okta. These steps are outlined in the next section.* 6. In the Okta console under **Advanced Sign-on Settings**, fill in the following fields. * **Base URL** (typically your Immuta tenant URL) * **IAM ID** (found on the Immuta App Settings page) 7. Click **Done**. ### 2 - Add a User to the Application 1. Click the **Assignments** tab. 2. Click **Assign** and then **Assign to People**. 3. Enter your name in the search field to filter results, and then click **Assign**. 4. Click **Save and Go Back**, and then click **Done**. 5. Return to the Immuta console and click **Test User Login**. Once this test passes, click **Save**. ### 3 - Configure Immuta to Use SCIM External IAM 1. Navigate to the **App Settings** page in Immuta, and click the **Add IAM** button. 2. Complete the **Display Name** field and select **SAML** as your IAM type from the **Identity Provider Type** dropdown. 3. Adjust **Default Permissions** granted to users by selecting from the list in this dropdown menu, and then complete the required fields in the **Client Options** section. 4. **Enable SCIM support for SAML** by clicking the checkbox, which will generate a SCIM API Key. * Copy the SCIM URL and API key generated, and then [save your changes](#user-content-fn-1)[^1]. * Validate the URL and credentials within the identity provider application. 5. In the **Profile Schema** section, map attributes in SAML to automatically fill in a user's Immuta profile. *Note: Fields that you specify in this schema will not be editable by users within Immuta.* 6. Enable **Sync groups from SAML to Immuta** and **Sync attributes from SAML to Immuta** by selecting the checkboxes, and then click the **Test Connection** button. 7. Once the connection is successful, click the **Test User Login** button. 8. Before you save the configuration, store the SCIM information that displays on the Immuta App Settings page, as it will be used in subsequent steps. {% hint style="warning" %} **Multiple user accounts cannot have the same email address** If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](https://documentation.immuta.com/2024.2/people/reference-guides/identity-managers#limitations). {% endhint %} ### 4 - Update Existing Okta Application to Enable SCIM 1. In Okta, navigate to your application and click the **Provisioning** tab. 2. Click **Configure API Integration** and then select the **Enable API integration** checkbox. 3. Fill in the following fields: * **Base URL** (found on the Immuta App Settings page as **SCIM URL**) * **API Token** (found on the Immuta App Settings page as **SCIM Api Key**) 4. Click **Test API Credentials**. 5. Once that test passes, click **Save**. 6. You will automatically navigate to the **Provisioning** tab. To make sure everything syncs as expected, select **To App** in the **Settings** pane, click **Edit**, and enable the following fields: * Create Users * Update User Attributes * Deactivate Users 7. Click **Save**. {% hint style="info" %} **Syncing current users in Okta** Once SCIM is enabled in Okta, it only works for changes in Okta going forward. To get your current users to sync, navigate to the **Assignment** tab and click **Provision User** in Okta. Existing users (or any new users you add/remove) should now display in Immuta under this external IAM. {% endhint %} ## Known Issues and Limitations * Using the same group to assign users to Okta (groups added to the Okta **Assignments** tab) and to push groups and users to Immuta (groups added to the Okta **Push Groups** tab) is not supported. See the [Okta troubleshooting guide](https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-group-push-troubleshoot.htm) for details. * The Okta directory cannot be synced with Immuta's internal IAM (BIM). You must configure an external IAM in Immuta to push users and groups from Okta to Immuta. * You should create a new Immuta IAM and a new Okta application for Immuta to set up the provisioning. An existing setup can cause discrepancies between the Okta directory and the app, leading to syncing failures. * When making a GET request for a user, there are extra attributes in the response. ## Additional Tutorials ### Manage Users in Okta SCIM **Add Users in Okta SCIM** 1. Navigate to your application in Okta and click the **Assignments** tab. 2. Click **Assign** and then **Assign to People**. 3. Enter the name of the user you would like to add in the search field and click **Assign**. 4. Click **Save and Go Back**, and then click **Done**. The user has been added to your application in Okta and displays as a user in Immuta under this external IAM. **Remove Users from Okta SCIM** 1. Click the **delete** icon next to the user you want to remove. 2. When prompted to make sure you want to delete this user, click **OK**. This user is removed from your application in Okta and displays as disabled in Immuta under this external IAM. ### Manage Groups {% hint style="info" %} **Group sync** Groups will automatically sync in Immuta for any users added to the SCIM application if * **Push Groups** in Okta is enabled * **Sync Groups** is enabled in Immuta {% endhint %} **Add Users to Groups** 1. In Okta, navigate to your application and click on the **Assignments** tab. 2. Click on the **name** of the user whose groups you want to update. 3. Click on the **Groups** tab. 4. To add a new group, start to type the name of an existing group in the search field, and when it displays, click **Add**. This group has been added to the user in Okta. It will also automatically appear in Immuta for the same user. **Remove Users from Groups** 1. In Okta, navigate to your application and click the **Assignments** tab. 2. Click the **name** of the user whose groups you want to update, and then navigate to the **Groups** tab. 3. Click the **delete** icon next to the group you want to remove for this user. This group has been removed from the user in Okta, and it will automatically be removed from this user in Immuta. ### Manage Attributes with Okta SCIM **Add Attributes to Users** 1. In Okta, navigate to your application and click **To App** on the **Provisioning** tab. 2. Click the **Go to Profile Editor** button. 3. Click **Add Attribute** and fill in the following fields: * **Data type** (defaults to string). * **Display name**. * **Variable name**. * **External namespace**. This field has to be formatted using a special schema format (e.g., urn:ietf:params:scim:schemas:extension:enterprise:2.0:DEMOEXT). Copy this information; you will need it for Immuta configuration. 4. Click **Save**. By default, the value for this attribute is empty. Follow the [Adding Attribute Values](#adding-attribute-values) section to add values. **Update the SCIM Attribute Schema in Immuta** 1. In Immuta, navigate to the **App Settings** page and edit your SCIM configuration. 2. Scroll to the **Attribute Schema** section under **Sync Attributes**. 3. Click **Add Attribute** and complete the following fields: * **SCIM Schema**: \ * **IAM Immuta Attribute Prefix**: this can be anything you want 4. Click **Test Connection** and then **Test User**. 5. **Save** your changes. **Add Attribute Values** After adding attributes to users and updating the SCIM Attribute Schema in Immuta, 1. In Okta, navigate to the **Assignments** tab for your application and click the **edit** icon next to the user you want to update attributes for. 2. Scroll to the **attribute** you created and add a value in the **textbox**. 3. **Save** your changes. Now that this attribute has been added to the user in Okta, it will automatically appear in Immuta for the same user. ### **Sync External Usernames with Okta SCIM in Immuta** {% hint style="info" %} You must configure a SCIM application and enable sync attributes before syncing external usernames. {% endhint %} 1. In Immuta, navigate to your **Okta SCIM** configuration on the **App Settings** page. 2. Under **Sync attributes from SAML to Immuta**, add an attribute for the field you would like to map to an external username. 3. Copy and paste the resulting attribute for the desired external username. 4. Click **Test Connection** and then **Test User**. 5. **Save** your changes. [^1]: You can either finish configuring your IAM on the app settings page before clicking save, or you can save now and return to the app settings page to edit the IAM configuration after saving.