SCIM - Okta
1 Before You Start
- You must have a ProcedureFlow account with "Org Admin" role and a pricing plan that supports SCIM
- You must have a Microsoft Okta account and administrative access to configure Applications
- Decide the scope of the deployment, i.e. whether users only or users and groups will be provisioned.
2 Configure ProcedureFlow to Support Provisioning
- Sign into ProcedureFlow using your Org Admin account.
- Go to Administration > Developers > Personal Access Tokens and click New Access Token to create a new token to use for SCIM.
- Name the token, select an expiration, and assign the Read and write SCIM permission.
Note Be sure to create a token with long enough expiry or no expiry at all — when the token expires, the integration with Okta will fail until a new token is generated and configured.
- Click Create Token. The token will temporarily appear on the Personal Access Tokens screen. Copy the token to save elsewhere; you will need this for configuring Okta, and once you refresh this screen the token will no longer be available.
3 Create and Configure a new Application in Okta
Important These steps were accurate at time of publication, but because they reflect a third party's processes they are subject to change. Please confirm with Okta Administrators.
- In the Okta Admin sidebar menu, choose Applications > Applications.
- Click Browse App Catalog on the applications page.
- In the search bar, type in “scim 2.0 header auth” and click the “SCIM 2.0 Test App (Header Auth)” option. This step is extremely important to ensure that Okta uses PATCH requests for updating groups.
- Click Add Integration to add and configure a new SCIM enabled Okta application.
- On the General Settings tab, add a name for the application in the Application label field. Indicate your organization's preferences for the Application Visibility and Browser plugin auto-submit checkboxes. These fields can be changed at any time after the initial configuration.
Note The Sign-On Options tab is not in scope of this procedure. - When you click Next you will be redirected to the application configuration screen where you will configure and administer the ProcedureFlow integration going forward. Go to the Provisioning tab and click Configure API Integration. This will take you through the SCIM setup configuration.
- Enable connectivity with the ProcedureFlow SCIM API:
A Select the Enable API Integration checkbox.
B Enterhttps://api.procedureflow.com/v1/scim/v2in the Base URL field.
C Enter the token created in step 2 above in the API Token field, prefixed with “bearer”. The field value should look like this:bearer <token>.
D Click Test API Credentials. This will send a GET request tohttps://api.procedureflow.com/v1/scim/v2/Users?startIndex=1&count=2and expects a200 OKwith an empty list of users. When this successfully happens, the screen will display SCIM 2.0 Test App (Header Auth) was verified successfully! with a green checkmark (as shown in the following screenshot).
- Once the integration is connected, there will be two more options in the Provisioning section and a square at the top of the application header will have turned green. As you can see in the following screenshot, To App and To Okta settings are available in the left sidebar. If you hover over the new green square you'll see a Import New Users is enabled tooltip.
- In the To App section, click Edit to the right of the title Provisioning to App (see screenshot above). Select the following three checkboxes:
- Create Users
- Update User Attributes
- Deactivate Users
Then click Save. You'll see an additional two squares highlighted in green in the application header bar. Their tooltips say Push New Users is enabled and Push User Deactivation is enabled respectively.
4 Define Who Will Be in Scope for Provisioning
User Provisioning
To select which users are in scope to be provisioned to ProcedureFlow, go to the Assignments tab in the Application settings. You can either assign users directly to the application or assign them via groups.
Note It is recommended to start with a small group of users or a limited sized group. Before rolling out to a larger audience, verify that things are working as expected. Newly added users in the small test group should receive an email invite to join ProcedureFlow.
- Assign People: You can assign users individually by clicking the Assign dropdown and selecting Assign to People.
- Assign Groups: For large organizations it can become tedious to assign users individually. It is recommended to assign users via groups. Click the Assign dropdown and select Assign to Groups. Please note that this does not create groups in ProcedureFlow, this is only a form of bulk assignment. Okta requires you to use separate groups for group assignment and for pushing group memberships. One suggestion is to add a single group for assignment, e.g.
ProcedureFlow Users, that will be used to assign individuals to the ProcedureFlow application; then have multiple groups for pushing memberships, e.g.Service,Marketing,Operations, etc.
Note If you do not plan to push group memberships from Okta into ProcedureFlow, then you must assign user permissions inside of ProcedureFlow directly to each individual user.
Group Provisioning
To provision groups in Okta go to the Push Groups tab in the Application settings. It is important to reiterate that you must create separate groups for user assignment and for creating groups in ProcedureFlow (or any SCIM integration with Okta for that matter).
- Click the Push Groups dropdown and choose Find groups by name. Search for a group that you want to add.
- When adding a new group, click Create Group in the Match result & push action section. Click Save or Save & Add Another if adding more groups.
- You will be redirected back to the Push Groups tab. The newly added group(s) should temporarily have a Push Status of Pushing which should quickly change to Active. This means that the group has successfully been created in ProcedureFlow.
