SCIM setup for OKTA

Here is a walkthrough to set up an SCIM app on OKTA to automatically provision users and teams into Catalog.

Please note that this setup requires you to get in touch with a Catalog ops ([email protected] or Slack) to generate and share with you the required SCIM token you will use to login your SCIM app against Catalog’s SCIM API.

1. Creating an SAML app

• Go to your OKTA applications and click on Browse App Catalog

• Then search for SCIM and choose SCIM 2.0 Test App (Header Auth)

• And hit the Add Integration button

• Give the app a proper name and click Next

• As we will only use this app for the provisioning, you do not need to specify proper SAML infos so go to the page’s end and click on Done

2. Setting up provisioning

• Once in the application, go to the Provisioning tab and hit the Configure API Integration button

• There you’ll setup provisioning infos

  • Input https://api.castordoc.com/auth/scim as Base URL

  • And the API token the Catalog’s ops provided you (or reach out to one: [email protected] or via Slack)

  • Test the connection, then save

  

3. Configuring mappings

• In this part we’ll craft the mapping between your user and team infos in Okta and their Catalog accounts. For that we need to update the 2 mappings.

• In the Provisioning tab → To App submenu:

  • Click on Edit and enable Create Users, Update User and Attributes and Deactivate Users then Save

    
  • Click on Go to Profile Editor under the Attribute Mappings to select the desired fields to send to Catalog

  

  • In the Profile Editor click on Mappings

  

  • On CastorDoc SCIM to Okta User tab

    • There you will need to un-map all fields except appuser.givenName and appuser.familyName and update the appuser.email → email mapping to appuser.userName → email

    
  • On Okta User to CastorDoc SCIM tab

    • Remove all fields mapping except user.firstName and user.lastName

    

4. Trigger provisioning

• Once the mapping updates done, you can start assigning users and groups that will be provisioned to Catalog

Troubleshooting

• If ever your Catalog user appears without first and last name, please ensure their givenName and familyName are filled in their OKTA profile.

• If ever you had an issue or leakage of your token, please reach out to a Catalog ops ([email protected]) to reset the token.