Set up SCIM with OKTA

Automate the provisioning and deprovisioning of Okta users

Read time 6 minutes

Prerequisites
Prerequisites

Before you set up System for Cross-domain Identity Management (SCIM) for Okta, ensure these requirements are met:

  • You have set up single sign-on (SSO) for an organization in Unity Cloud. You have added, to your SSO setup, the domains whose users you want to automate provisioning for. Unity has validated these domains. Read more about creating an organization and setting up SSO.
  • An Okta instance exists and manages these users.
  • An existing Okta application is set up with Unity SSO.

Provision a service account
Provision a service account

Before you configure SCIM, provision a Unity service account:

  1. Go to Unity Cloud.

  2. To switch to the organization for which you want to set up SCIM, select your username, select Switch organization, and then select an organization.

  3. Go to Administration > Service accounts.

  4. To create a service account, select New.

  5. Enter a name and a description for the service account, and then select Create.

    Unity creates a service account and displays its details.

  6. Assign the SCIM Authenticator role to the account:

    1. In the Organization Roles section, select Manage Organization Roles.
    2. Set Admin to SCIM Authenticator, and then select Save.

  7. Create keys for the authentication and use of the service account:

    1. In the Keys section, select Add key.

    2. Copy all the key information and keep it.

      Your Identity Provider (IdP) service requires this information.

Read more about creating a Unity service account in the Unity Services documentation.

Fetch the SCIM connector URL for your organization
Fetch the SCIM connector URL for your organization

  1. On a new tab, go to Unity Cloud.

  2. Switch to the organization for which you want to set up SCIM.

  3. Go to Administration > Single sign on.

  4. In the SCIM section, locate the field for the SCIM base connector URL and copy the value.

    Your IdP service requires this information.

In Okta, turn on SCIM for the provisioning of users
In Okta, turn on SCIM for the provisioning of users

  1. On a new tab, sign in to your Okta admin instance with an admin account.

  2. Go to Applications > Applications, and then select your Unity SSO application.

  3. On the General tab, select Edit next to App Settings.

  4. Turn on SCIM for the provisioning of users, and then select Save.

  5. In Okta, go to the Provisioning tab.

  6. In the Integration section, select Edit next to SCIM Connection.

  7. Set this configuration:

    • SCIM base connector URL: paste the value that you have copied from Unity Cloud.
    • Unique identifier field for users: enter email.
    • Supported provisioning actions: select Push New Users and Push Profile Updates.
    • Authentication mode: select Basic Auth.
    • Username: paste the ID of the key that you have generated for the service account.
    • Password: paste the secret of the key that you have generated for the service account.

  8. Select Save.

    Okta verifies the setup and informs you of any errors.

In Okta, set up the provisioning of users through SCIM
In Okta, set up the provisioning of users through SCIM

  1. In Okta, go to the To App settings page.

  2. On the Provisioning tab, select Edit next to Provisioning to App.

  3. Turn on these provisioning actions:

    • Create users
    • Update user attributes
    • Deactivate users

  4. Select Save.

  5. In the Attribute Mappings section, set these attributes:

    • userName: set this attribute to the user's primary email address that is set in the sign-on settings.

    • givenName: enter user.firstName. You'll include this variable in the displayName expression.

    • familyName: enter user.lastName. You'll include this variable in the displayName expression.

    • displayName: enter this expression:

      user.firstName \+ " " \+ user.lastName

      Okta doesn't accept smart quotes. If you can't paste the quotes, enter them.

    • locale: enter user.locale.

    • email: enter user.email. The userName attribute uses the email attribute.

    Set all these attributes so that Okta applies their mapping for the creation or update of a user profile in Unity.

  6. On the Sign On tab, in the Credentials Details section, verify that Update application username on is set to Create and update.

Select Okta users for automated provisioning
Select Okta users for automated provisioning

  1. In Okta, go to the Assignments tab.

  2. Select the users for whom you want to automate provisioning in Unity. Select the users individually or select a user group.

    When you select users, Unity automatically provisions them.

  3. To provision these users, select Provision User.

  4. To provision these non-provisioned users, use one of these methods:

    • To provision users individually, select Provision User next to a user.
    • To provision all non-provisioned users, select Sync All in the Okta notification.