Close
logodocs

Set up an App in Okta for User & Group Provisioning

This feature set is currently in closed-access beta. Functionality and documentation may change. Please contact your Customer Success Manager if interested in this beta!

This beta documentation will show you how to deploy an Okta app integration manually using System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled a SCIM app integration with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Okta and strongDM.

Before You Begin

  • Ensure that you are assigned the Account Administrator role in strongDM.
  • If you are currently using the Okta script we provided to do directory sync through the strongDM API, please disable that before activating the SCIM Provisioning integration.

Okta Provisioning Setup Guide

These instructions walk you through the process of adding a SCIM application in Okta and grabbing your token from the strongDM Admin UI. We recommend that you keep both Okta and the Admin UI open in your browser so you can easily tab between them.

Add a SCIM application

  1. Log in to your Okta account.
  2. From your developer org's Admin Console, select Applications and then select the Applications option on the navigation menu.
  3. Select the Browse App Catalog button.
  4. Search for SCIM 2.0 Test App (Header Auth) and and select it.
  5. Click Add.
  6. On the General Settings page, change the Application label to a more descriptive Name for your integration (e.g., "strongDM User Directory Provisioning").
  7. Leave the other settings on default and click Next.
  8. In the Credentials Details section further down, set the Application username Format to Email.
  9. Leave the other settings on default and click Done.

Enable provisioning

  1. Select the Provisioning tab and then click Configure API Integration.

  2. Select the checkbox for Enable API Integration.

  3. Set the following properties:

    • Base URL: Set https://app.strongdm.com/provisioning/okta/v2 as the base URL for your SCIM server.

    • API Token: Get the strongDM SCIM token by following these steps:

      1. Go to the strongDM Admin UI’s **Settings > Provisioning** section.
      2. Set the **Provision users with SCIM?** option to **Yes**.
      3. Set the **Select a provider** option to **Okta**.
      4. Click **Activate** and then copy and save the token generated.
      5. Go back to your Okta console and fill the **API Token** field with the token you copied, in this format: `Bearer {TOKEN}`.
      For example: `Bearer aabb12fjfl445...jkhksjhf98345un`
      If you don't see a **Provisioning** tab in your strongDM Admin UI's **Settings** page, please contact support@strongdm.com to have it enabled.
  4. Click Test API Credentials to test whether the integration can connect to the SCIM API. If there are errors, make sure your base URL and API token are correct and try again. If you're still running into issues, contact support@strongdm.com.

  5. Click Save to finish the integration setup.

Configure Provisioning options

Next, configure SCIM options so that the integration knows how to handle provisioning of the users and groups from Okta into strongDM.

  1. On the Provisioning tab of the Okta integration, select the To App tab from the left-hand side and then click Edit.
  2. Select the checkboxes to enable the following options:
    1. Create Users: This enables Okta to create Users in strongDM, based on assigned users in Okta. If Okta detects an existing strongDM User that has the same email address as an existing Okta user, Okta will take control of that strongDM User. If there isn't an existing strongDM User with that email, Okta will create a new User in strongDM.
    2. Update User Attributes: This enables Okta to update the name and email addresses of strongDM Users based on changes to that User in Okta.
    3. Deactivate Users: This enables Okta to suspend Users in strongDM when they are unassigned from the application within Okta. These Users will also be reinstated if they are assigned back to the strongDM application within Okta.
  3. Select Save.

Setup is now complete!

Your Initial Provisioning of Users and Groups

Once you've configured provisioning within Okta, follow these steps in order to sync your initial set of Okta users and groups with strongDM.

  1. Go to the Assignments tab, click Assign, and then choose the Assign to Groups option.

    • Assign to Groups lets you assign groups of Okta users to strongDM.
    • The Okta users that you select here will be assigned to strongDM. If they already exist in strongDM, Okta will take control of them. If they don't already exist in strongDM, Okta will create them.
    • If you're using Okta as your SSO with strongDM, we recommend using a shared Okta group to assign users to both of these strongDM apps.
  2. Go to the Push Groups tab, click the Push Groups button, and choose the Find groups by name option.

    1. Enter text in the box to search for the Okta groups you want to add to strongDM as Roles.
    2. If a strongDM Role with that same name doesn't already exist, you will be provided the option to create that Role or link this group to an existing strongDM Role of a different name.
    3. Select Save & Add Another to keep going, or just Save when you are done adding Okta groups.

    Please note:
    An Okta user needs to be both assigned to strongDM and part of a Okta group pushed to strongDM in order for the associated strongDM User to be assigned to the strongDM Role.

  3. On the Provisioning tab in the application, scroll down and click Force Sync to initiate the sync process for the first time. The first sync may take some time to complete, so just wait and let the process complete.

  4. In the strongDM Admin UI:

    1. Go to the Users page to confirm that Users look as expected.
    2. Go to the Roles page to check that Roles look as expected.

Okta Provisioning Management

After the initial sync is complete, you should see that the Users and Roles in the strongDM Admin UI match the Okta users and groups that you chose in the previous steps.

Going forward, any changes you make in Okta will be reflected in strongDM when you:

  • Assign and unassign users from the application.
  • Link and unlink groups from the application.
  • Add and remove users from groups in Okta.

Information about Okta Managed Users and Groups

Users and groups that are assigned/linked to strongDM from within Okta will be considered "Okta Managed" and are mostly read-only from a strongDM perspective. Any time you assign a new Okta user to the strongDM application, we recommend using the Force Sync button from the Provisioning tab in Okta.

Here's how Okta Managed Users are handled:

  • An Okta user who is unassigned from the strongDM application will suspend that User within strongDM.
  • An Okta group that is unlinked from the strongDM application will remove Users from that strongDM Role within strongDM and then delete that Role.
  • An Okta user who is added to an Okta group will attach that strongDM User to that Role in strongDM.

Information about User management in strongDM

In addition to managing Users and Roles through Okta, you have the flexibility to continue managing your users and roles directly through strongDM.

Here's what you can do:

  • Manually create Users, Service Accounts, and Roles within strongDMthese will be identified with the sdm badge in the Admin UI indicating that they are "strongDM Managed."
  • Attach strongDM Managed Users and Service Accounts to both strongDM Managed Roles and Okta Managed Roles from within strongDM.
  • Attach Okta Managed Users to strongDM Managed Roles from within strongDM.
  • Set Permission Levels for Users within the Admin UI for both strongDM Managed and Okta Managed Users.
  • Grant access through Roles and Temporary Access for Users from within strongDM.

Caveats and Limitations

Due to the nature of how Okta integrates through SCIM 2.0, there are a few limitations to be aware of. If you have any issues with your implementation, please contact support@strongdm.com.

If Okta suspends Users, they won't be unassigned from strongDM

Okta has an option to "suspend" users. Doing so will not unassign the user from the strongDM application and therefore won't suspend their corresponding Okta Managed User in strongDM. Make sure to either unassign the Okta user from the application or deactivate the Okta user from within Okta in order to remove their strongDM access as well. Okta does not communicate this information to strongDM in any other way.

Options to avoid

When unlinking an Okta group from strongDM, we strongly encourage you not to select the option to "Leave the group in the target app." Selecting that option will cause the following to happen:

  • The corresponding Okta Managed Role in strongDM will persist in a read-only state.
  • You won't be able to delete the corresponding Okta Managed Role within strongDM.
  • Okta Managed Users attached to the Role will continue to have the access granted by the Role and cannot be unattached within strongDM.

If you end up in this situation, just relink the Okta group to the strongDM Role from within Okta. Going forward, you will be able to remove the Okta Managed Group properly.

Admin UI Guide — Previous
Set up a SCIM Provisioning App in Azure Active Directory
Next
Authentication