Configure and leverage the SCIM user directory integration with Okta
Before you begin:
Please complete the steps outlined in this SCIM Directory Integration support article to set up a new SCIM User Directory in your Kandji instance, and ensure you're on the Advanced Lifecycle Management plan with Okta, which supports built-in standards-based provisioning for SCIM.
Ensure to store/copy the token provided as outlined in step 9a in the Support article mentioned above. The token will not be visible once clicking Done and will be required in a later step.
- Log into your Okta Production or Developer tenant via login.okta.com.
- Once logged in, create a new Application Integration by going to Applications > Applications.
Note: The Kandji application available in the Okta Integration Network (OIN) cannot be provisioned for SCIM. A new Application Integration must be created to leverage SCIM. This new app integration will not interfere with any existing Okta SSO integration leveraging the OIN Kandji application.
- Click on the Create App Integration button.
- Select SAML 2.0 on the App Integration Wizard screen and click Next.
- Give the App a name i.e., Kandji SCIM App. Check the boxes within the App visibility section and click Next.
- Under Section A: SAML Settings, enter a dummy URL in the Single Sign-on URL and Audience URI (SP Entity ID) fields. Leave all other fields default, scroll to the bottom of the page and click Next.
Note: Since we will not be using this application integration for SSO, the URLs do not need to be valid; however, URLs need to be entered in these fields in order to proceed.
- Select the first radio button, I’m an Okta customer adding an internal app. Skip all the ‘Optional’ fields and scroll down to the bottom of the page, then click Finish.
- You should now be in the new Application Integration named Kandji SCIM App (or the chosen name entered on step 6) on the Sign On tab.
- Click on the General tab, click Edit under App Settings, and check the box to Enable SCIM Provisioning. Leave all other fields default and click Save.
- Click on the Provisioning tab, click Edit within the SCIM Connection section.
- Enter the SCIM connector base URL obtained in step 9a in the SCIM Directory Integration article mentioned above.
- Enter userName in the Unique identifier field for users field.
- Check off the boxes for Push New Users and Push Profile Updates.
- Change Authentication Mode to HTTP Header.
- Enter your Bearer Token obtained in in the SCIM Directory Integration article mentioned above.
- Click on the Test Connector Configuration button to test integration. Your results should look like the sample below. Click Close to close the Test Connector Configuration window. Then click Save to save the SCIM Connection settings.
- You should still be on the Provisioning tab, in the To App section under Settings.
- Click on Edit in the Provisioning to App section.
- Check off the Enable boxes for ‘Create Users’, ‘Update User Attributes’, ‘Deactivate Users’
within the Provisioning to App section and click Save.
- Go to Directory > Groups to create a User Group for Kandji Users and click Add Group.
- Give the group a Name i.e., Kandji Users, and enter a description.
- Go to step 20 if User Accounts already exist in your Okta instance. To add a User Account, go to Directory > People on the left pane menu and click on the Add Person button.
- Create a test user account in Okta by filling out the Add Person wizard:
- In the Groups field, start typing the first few letters of the Group created in Step 17 and select it.
- For Password field, select Set by Admin.
- Uncheck ‘User must change password on first login'.
- In Directory > Groups and you should see the new group in the list of Groups, click on the Kandji Users group.
- Click on the Manage Apps button to assign the Application created in Steps 4 thru 10.
- Click on the Assign button next to the Kandji SCIM App.
- Set Preferred Language and Locale for users in this group. All other fields can be left blank.
- Confirm the Kandji SCIM App has been Assigned and click the Done button.
- You should now see the User Account(s) that were added to the Kandji Users group in your Kandji instance.
User syncing is one-way, meaning the Okta Kandji SCIM app will send user information to Kandji when there is new information to be sent. Therefore, 'Sync Now' is not an option available in the web app.