Skip to main content

SCIM Provisioning with Okta

This guide explains how to connect Okta to your application using SCIM (System for Cross-domain Identity Management) for automated user and group provisioning.

Prerequisites

Before you begin, ensure you have:

  • An Okta admin account
  • Your SCIM Base URL: https://webrix-admin.<your-domain>.com/scim/v2
  • Your SCIM Bearer Token (AUTH_SECRET)
  • Groups/Users you want to sync

1. Create a New Application in Okta

1.1 Navigate to Okta Applications

Go to your Okta admin portal:

https://<your-domain>-admin.okta.com/admin/apps

1.2 Create a New App Integration

  1. Click Create App Integration
  2. Select SAML 2.0
  3. Click Next

Okta New App

1.3 App Information

  • App name: Webrix SCIM Integration

  • Logo: Upload this logo:

    Webrix Scim Logo

  • Click Next

2. Configure SAML (Placeholder Values Only)

info

The SCIM implementation does not use SAML for authentication. These values are only required by Okta to create the app integration.

Use the following placeholder values:

  • Single sign-on URL: https://webrix-admin.<your-domain>.com
  • Audience URI (SP Entity ID): https://webrix-admin.<your-domain>.com

Click Next, then Finish.

3. Enable SCIM Provisioning in the App

3.1 Open the App General Tab

  1. Scroll to App Settings
  2. Click Edit
  3. Enable the SCIM toggle
  4. Click Save

4. Configure SCIM Connector

4.1 Go to the Provisioning Tab

  1. Navigate to the new Provisioning tab
  2. Click Edit in the SCIM Connection area

4.2 Enter SCIM Details

Configure the following fields:

FieldValue
SCIM connector base URLhttps://webrix-admin.<your-domain>.com/scim/v2
Unique identifier field for usersemail
Supported provisioning actionsSelect all
Authentication ModeHTTP Header
AuthorizationBearer <YOUR_AUTH_SECRET>

4.3 Test the Connection

  1. Click Test Connector Configuration
  2. If successful, click Save

5. Enable Provisioning Actions

5.1 Configure Provisioning to App

  1. In the ProvisioningTo App section, click Edit
  2. Enable the following:
    • ☑ Create Users
    • ☑ Update User Attributes
    • ☑ Deactivate Users
  3. Click Save

6. Assign Users or Groups

6.1 Assign Groups to the Application

  1. Navigate to Applications and locate your SCIM integration app
  2. Click the dropdown menu (▼) to the right of the app
  3. Select Assign to Groups
  4. Assign the groups you want synchronized with your application

7. Push Groups (SCIM Group Sync)

  1. Inside your SCIM integration app, go to Push Groups
  2. Click + Push Groups
  3. Choose Find groups by name
  4. Add the groups you have assigned earlier
  5. Click Save

Verification

Once configured, the integration will automatically:

  • Provision new users when they are added to assigned groups in Okta
  • Update user attributes when they are modified in Okta
  • Deactivate users when they are removed from assigned groups
  • Sync group membership changes to your application via SCIM

You can verify the sync status in Okta by checking the Provisioning tab logs and monitoring user/group operations.

Troubleshooting

Connection Test Fails

  • Verify your AUTH_SECRET is correct and matches the server configuration
  • Ensure the SCIM Base URL is accessible from Okta's network
  • Check that the Authorization header includes the Bearer prefix

Users Not Syncing

  • Confirm users are assigned to groups that are pushed to the application
  • Check the ProvisioningTo App settings are enabled
  • Review Okta's provisioning logs for error messages

Group Sync Issues

  • Ensure groups are both assigned (step 6) and pushed (step 7)
  • Verify the group has members before attempting to sync
  • Check that group operations are completing successfully in Okta logs