SCIM Directory Integration - Okta

By Rick Metzner

Configure a SCIM user directory integration with Okta

Before You Begin

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
  • Ensure you’re using Okta’s Advanced Lifecycle Management plan, which supports built-in, standards-based provisioning for SCIM.
  • Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
  • Be sure to review the supported user and group attributes listen in the SCIM Directory Integration.

Create the SCIM Integration in Okta

Note: The Kandji application available in the Okta Integration Network (OIN) cannot be provisioned for SCIM. A new Application Integration must be created to leverage SCIM. This new app integration will not interfere with any existing Okta SSO integration leveraging the OIN Kandji application.

  1. Log into your Okta tenant via login.okta.com.
  2. Once logged in, in the left-hand navigation, go to Applications > Applications.
  3. Clicking Create App Integration.
  4. Select SAML 2.0 as the application type and click Next.
  5. In General Settings, give the App a name and check both boxes within the App visibility section. Then, click Next.
  6. In SAML Settings, enter a dummy URL in the Single sign-on URL and Audience URI (SP Entity ID) fields. Do not change any other settings.
  7. Click Next.

    Note: Since we will not be using this application integration for SSO, the URLs do not need to be valid; however, you must enter URLs in these fields in order to proceed. If you decide to enable SAML SSO in Kandji, you can use this same app to do so.
  8. In Help Okta Support understand how you configured this application, select I'm an Okta customer adding an internal app, and click Finish.

Configure SCIM settings

  1. In the Kandji SCIM app, navigate to the General tab.
  2. In the Settings section, click Edit.
  3. Select SCIM in the Provisioning setting.
  4. Do not modify any other settings, and click Save.
  5. In the Provisioning tab, click Edit in the Integration section.
  6. For SCIM connector base URL, enter the SCIM integration base URL copied from Kandji (example: https://accuhive.clients.us-1.kandji.io/api/v1/scim). 
  7. For Unique identifier field for users, enter userName.
  8. For Supported provisioning actions, select Push New Users, Push Profile Updates, and Push Groups.
  9. For Authentication Mode, select HTTP Header.
  10. For Authorization, enter the Bearer Token obtained in the Kandji SCIM Directory Integration article mentioned above.
  11. Click Test Connector Configuration to test the integration.

    • Only Create Users, update User Attributes, and Push Groups should be checked in the modal that displays.
  12. Click Save.

  13. While still on the Provisioning tab, go to the To App section and click Edit.

  14. In the Provisioning to App section, enable Create Users, Update User Attributes, and Deactivate Users.

  15. Click, Save.

  16. (optional) In the  Attribute Mappings, edit the user attributes to send to Kandji. Kandji will only store and use the attributes mentioned in the SCIM Directory integration knowledge base article.

Users and Groups

  1. In a new browser tab, navigate to Directory > Groups to create a user group for Kandji Users and click Add Group.
  2. Give the group a meaningful name and click Save.
  3. Search for the group that you just created and add one or more test users to the Group.

    • If provision Groups to Kandji, create an additional group, such as kandji_scim, that contains the same users as the previous group. This additional group is needed because the same Okta group cannot be used for app assignments and group push. See this okta article for more information.
  4. Navigate back to the browser tab where the Okta SCIM app is open.

  5. In the Assignments tab, click Assign > Assign to Groups.

  6. Search for the first group that you created earlier and click Assign.

  7. In the Assign Kandji SCIM App to Groups modal, modify settings as needed and click Save and Go Back.

  8. Confirm that the group has been Assigned and click Done. The group should now show in the Groups section in the Assignments tab. Note: if the group does not display, try refreshing the browser tab.

  9. In the Push Groups tab, select Push Groups > Find groups by name

  10. Search for the second group that you created earlier (in the example, we called it kandji_scim) and click select it.

  11. Ensure that Create Group is chosen.

  12. Click Save.

  13. Repeat the last three steps for any other groups that you want to push. Keep in mind that the users also must be assigned to the app in order for the association to occur in Kandji.

Pushing updates

  • If you add additional users to the group assigned to the SCIM app in Okta, be sure to also update the group that you've designed as the Push group. In our example, this group was called kandji_scim.
  • Updates should be seen in Kandji fairly quickly, but if you would like to push group updates immediately, you can choose the option to Push Now from the Push Groups tab in the Okta app. More information can be found in the Okta article.

Deleting Pushed Groups

Use the following steps to stop pushing group updates or optionally delete a pushed group from Kandji.

  1. Go to the Push Groups tab for the app in Okta.
  2. In the Push Status column, select Unlink push group.
  3. Select the option to Delete the group in the target app (recommended). This will DELETE the group in the target app, and user accounts will NOT be deleted. The user accounts are tied to the assignment group on the Provisioning tab.
  4. Click Unlink.

You should no longer see the group listed in the Push Groups tab.

Syncing
Syncing User and group syncing is one-way, meaning the SCIM app will send user information to Kandji only when there is new or updated information to be sent. For this reason, a "Sync Now" option is not needed in the Kandji web app.