SCIM Directory Integration - Okta

By Rick Metzner

Configure a SCIM user directory integration with Okta

Before You Begin

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Kandji instance. You will need to obtain the SCIM access token and API URL.
  • Ensure you’re using Okta’s Advanced Lifecycle Management plan, which supports built-in, standards-based provisioning for SCIM.
  • Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
  • Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.

Create the SCIM Integration in Okta

The Kandji application available in the Okta Integration Network (OIN) cannot be provisioned for SCIM. A new Application Integration must be created to leverage SCIM. This new app integration will not interfere with any existing Okta SSO integration leveraging the OIN Kandji application.
  1. Log into your Okta tenant via login.okta.com
  2. Once logged in, in the left-hand navigation, go to Applications > Applications
  3. Clicking Create App IntegrationlVSNTAGPt6vzv4Sh8wdPvO0VQOpRo8tKbg

  4. Select SAML 2.0 as the application type and click Next.
  5. In General Settings, give the App a name and check the box within the App visibility section. Then, click Next.
  6. In SAML Settings, enter a dummy URL in the Single sign-on URL and Audience URI (SP Entity ID) fields. Do not change any other settings.
  7. Click Next.omB3N8ZrWQo0HZSJfOgxSo0bKPLwFv9YMg

    Since we will not be using this application integration for SSO, the URLs do not need to be valid; however, you must enter URLs in these fields in order to proceed. If you decide to enable SAML SSO in Kandji, you can use this same app to do so.


  8. In Help Okta Support understand how you configured this application, select I’m an Okta customer adding an internal app, and click Finish.

Configure SCIM settings

  1. In the Kandji SCIM app, navigate to the General tab.
  2. In the Settings section, click Edit.
  3. Select SCIM in the Provisioning setting.
  4. Do not modify any other settings, and click Save.hZm-ARY8_W1mXeN4RnT5_CjjYfM6KHaAvA

  5. In the Provisioning tab, click Edit in the Integration section.
  6. For SCIM connector base URL, enter the SCIM integration base URL copied from Kandji (example: https://accuhive.api.kandji.io/api/v1/scim).
  7. For Unique identifier field for users, enter userName.
  8. For Supported provisioning actions, select Push New Users, Push Profile Updates, and Push Groups.
  9. For Authentication Mode, select HTTP Header.
  10. For Authorization, enter the Bearer Token obtained in the Kandji SCIM Directory Integration article mentioned above.
  11. Click Test Connector Configuration to test the integration.

    • Only Create Users, update User Attributes, and Push Groups should be checked in the modal that displays.
  12. Click Save.


  13. While still on the Provisioning tab, go to the To App section and click Edit.

  14. In the Provisioning to App section, enable Create Users, Update User Attributes, and Deactivate Users.

  15. Click, Save.

  16. (optional) In the  Attribute Mappings, edit the user attributes to send to Kandji. Kandji will only store and use the attributes mentioned in the SCIM Directory integration knowledge base article.J2WogvK3_Ux75XqERx_SI2hUgzBr4ydnjw

Users and Groups

Assigning users to Kandji

This section covers assigning users to Kandji by creating an Okta user group called kandji_apple_users. This group will be added to the Assignment tab in the Okta SCIM app. 

 This method is just one example showing how to assign users to Kandji via Okta SCIM.
  1. In a new browser tab, navigate to Directory > Groups and click Add Group.
  2. Give the group a meaningful name like kandji_apple_user and click Save.
  3. Search for the group you just created and add one or more test users.
  4. Navigate back to the browser tab where the Okta SCIM app is open
  5. Go to the Assignments tab, click Assign > Assign to Groups.

  6. Search for the newly created group and click Assign > Save and Go Back.

  7. Confirm that the group was assigned and click Done. The group should now appear in the Assignments tab’s Groups section.

  8. If the group does not display, try refreshing the browser tab.

All of the users that belong to this group will be pushed to Kandji and will show up in the Users module. We will discuss how to push groups to Kandji in the next section.

Pushing groups to Kandji

In this section, learn how to push user groups to Kandji.

When planning to push Okta groups to Kandji for use in Assignment rules, for each group that you would like to push, add it to the Group Push tab in the SCIM app.

Per this Okta article, groups used to assign users in the Assignment tab cannot be used in the Push Groups tab. Okta recommends creating additional groups containing the same users and adding the new groups to the Push Groups tab for consistent group membership.

If the same group is added in both places, the assignment tab will take precedence, and the group may not be pushed. One way to handle this is to create a single “user assignment” group containing all your Kandji users and add that group to the Assignment tab. From there, you can use your existing Okta groups as Push Groups. Remember that for the user-group association to work, the members of the pushed groups must also be members of the Kandji users group assigned to the SCIM app.

  1. In the Push Groups tab, select Push Groups > Find groups by name. (If preferred, you can also use Find groups by rule)

  2. Search for a group and select it.

  3. Ensure that Create Group is chosen.

  4. Click Save & Add Another.

  5. Search for and add additional groups that you would like to push to Kandji.

For the user-group association to work, the members of the pushed groups must also be members of the Kandji users group assigned to the SCIM app.

Automatically updating membership for the kandji apple users group

Okta group rules can be used to automatically update the kandji_apple_users group when adding someone to one of your existing groups used as push groups. For example, if you add someone to the developers group, a rule can be created such that when you add new users to the developer group, they will also be added to the kandji_apple_users group. The new users will be assigned to the SCIM app, and sent to Kandji via the SCIM integration, and group associations will be updated.

  1. Click on Directory > Groups > Rules > Add Rule.
  2. Give the rule a name. Example: “update kandji_apple_users group membership”
  3. Choose Group membership as the condition.
  4. Enter the names of the groups used as push groups.
  5. For Assign to enter kandji_all_apple.
  6. Click Save.

  7. Back on the group rules page, next to the rule. select the Actions dropdown and then Activate.

Pushing group updates

  • If you add additional users to the group assigned to the SCIM app in Okta, be sure to also update the groups that you’ve added as the Push groups.
  • Updates should be seen in Kandji fairly quickly, but if you would like to push group updates immediately, you can choose the option to Push Now from the Push Groups tab in the Okta app. More information can be found in the Okta article.

    User and group syncing is one-way, meaning the SCIM app will send user information to Kandji only when there is new or updated information to be sent. For this reason, a "Sync Now" option is not needed in the Kandji web app.

Deleting Pushed Groups

Use the following steps to stop pushing group updates or optionally delete a pushed group from Kandji.

  1. Go to the Push Groups tab for the app in Okta.
  2. In the Push Status column, select Unlink push group.0i95a6H9UfoHFvrlHulkf-wZjBl13O-gmQ

  3. Select the option to Delete the group in the target app (recommended). This will DELETE the group in the target app, and user accounts will NOT be deleted. The user accounts are tied to the assignment group on the Provisioning tab. 
  4. Click Unlink.

You should no longer see the group listed in the Push Groups tab.