Set up a SCIM User Provisioning App in Okta

This application note will show you how to deploy an Okta app integration manually using System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled a SCIM app integration with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Okta and strongDM.

Before You Begin

Ensure that you are assigned the Account Administrator role in strongDM.

Okta SCIM Application Setup Guide

These instructions walk you through the process of adding a SCIM application in Okta and grabbing your token from the strongDM Admin UI. We recommend that you keep both Okta and the Admin UI open in your browser so you can easily tab between them.

Add a SCIM test application

  1. Log in to your Okta account.
  2. From your developer org's Admin Console, click Applications and then click Applications again on the navigation menu.
  3. Click Add Application.
  4. Search for SCIM 2.0 Test App (Header Auth).
  5. Click Add.
  6. On the General Settings page, set a descriptive Name for your integration.
  7. In Sign on methods > Credentials Details, set the Application Username Format to Email.
  8. Click Done.

Enable provisioning

  1. After the integration is created, click the Provisioning tab and then click Configure API Integration.

  2. Select the checkbox for Enable API Integration.

  3. Set the following properties:

    1. Base URL: Set as the base URL for your SCIM server.
    2. API Token: Set the token, from the strongDM Admin UI’s Settings > Provisioning section, in this format: Bearer {TOKEN}.

    Example: Bearer aabb12fjfl445...jkhksjhf98345un

    In this step, you’re using the HTTP Header authentication method and providing a bearer token to access your SCIM implementation.

    The token is generated when provisioning is turned on for your strongDM instance, and it is shown one time only. To enable provisioning, please contact

    1. Import Groups: Optional; select this if you want to import user groups from strongDM.
  4. Click Test API Credentials to test whether the Okta app integration can connect to your SCIM API. If there are errors, make sure your base URL and API token are correct and try again.

  5. Click Save to finish the integration setup.

Configure SCIM options

Next, configure SCIM options so that the Okta integration knows how to handle provisioning between the users in your SCIM app and their Okta user profiles.

  1. On the Provisioning tab of your Okta integration, in the Settings panel, click the To App tab and then click Edit.
  2. Select the checkboxes to enable the following options:
    1. Create Users: If enabled, assigns a new account in your downstream application for each user managed by Okta. If Okta detects that the username specified in Okta already exists in your application, Okta doesn't create a new account. The user's Okta username is assigned by default. Okta will send the user profile and a random password in its request to create a new user.
    2. Update User Attributes: If enabled, syncs any updates made to the profiles of users assigned to the integration and sends those changes to your downstream application. Profile changes made in your application are overwritten with their Okta profile values.
    3. Deactivate Users: If enabled, automatically deactivates user accounts in the downstream application when either the integration is removed from a user profile in Okta or if the Okta account is deactivated. Note that Okta can reactivate the user account in the downstream application if the integration is later reassigned to a user in Okta.
  3. Click Save.

Manual SCIM provisioning setup is now complete.