All Collections
User Management
Adding and Removing Users
Okta SCIM Guide
Okta SCIM Guide

This article describes how to set up SCIM-based user provisioning through Okta.

K
Written by Katie Briggs
Updated over a week ago

Features

  • Push Users - Users in Okta can be assigned to the Fulcrum application in Okta and will automatically be created and added as members to your Fulcrum organization.

  • Deactivate Users - Users in Okta that are unassigned from the Fulcrum application in Okta will be removed as members from your Fulcrum organization.

  • Push Membership Updates - Users in Okta can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.

  • Push Groups (optional) - Groups in Okta can be assigned to the Fulcrum application in Okta. The users in those groups will automatically be created and added as members to your Fulcrum organization. In addition, the groups themselves may be optionally created in Fulcrum as Fulcrum groups.

  • Map Roles (optional) - When app roles are set up and assigned to users in Okta, Fulcrum members will automatically be assigned the corresponding Fulcrum role.

Requirements

SCIM provisioning is only supported on Fulcrum Enterprise plans with SSO and Developer Pack enabled.

Configuration Steps

In Fulcrum

  1. Sign in as an Owner to the organization you want SCIM provisioning enabled

  2. Create an API token to be used with the SCIM integration

    1. Go to the API page

    2. Click the NEW API TOKEN button

    3. Provide a useful description such as SCIM Okta

    4. Click CREATE TOKEN to create a new API token

    5. Note/copy the token which will be used to configure the Okta Fulcrum application

Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Okta.

In Okta

  1. Add the Fulcrum application

    1. Open the Applications dropdown and click Applications followed by the Browse App Catalog button

    2. Search for Fulcrum in the catalog search and select Fulcrum from the available options

    3. Click the Add Integration button

    4. Click Done to finish adding the Fulcrum application

  2. Configure Sign On settings

    1. Click on the Sign On tab


    2. Go through the SAML Setup instructions and take note of the Company Domain

    3. Click Edit to start editing the Sign On settings

    4. Make sure the Organization Name matches the Company Domain from the SAML setup and that Application username format is set to Email


    5. Click Save

  3. Configure Provisioning settings

    1. Click on the Provisioning tab and then Integration

    2. Click the Configure API Integration button

    3. Make sure the Enable API Integration checkbox is checked and for the API Token field enter the Fulcrum API token that was generated during the In Fulcrum section

    4. Click Save

    5. Click To App and then Edit, while still under the Provisioning tab

    6. Enable Create Users, Update User Attributes, and Deactivate Users by making sure they are checked

    7. Click Save

  4. Assign users to the Okta Fulcrum app to have them added to your organization in Fulcrum

    1. Click on the Assignments tab followed by the Assign button and Assign to People option

    2. Click Assign on the user you want to add

    3. Ensure the information looks correct and click Save and Go Back

    4. Repeat steps b and c for each user you want to add

  5. Assign groups to the Okta Fulcrum app to have the users in that group added to your organization in Fulcrum. This step only adds members of Okta groups to Fulcrum. It does not create groups within Fulcrum. See step 6 for those instructions.

    1. Click on the Assignments tab followed by the Assign button and Assign to Groups option

    2. Click Assign on the group you want to add


    3. Repeat for each group you want to add

    4. Click Done when done with adding groups

  6. Push groups to Fulcrum. This will add groups to your organization in Fulcrum and assign the correct members to those groups in Fulcrum.

    1. Click on the Push Groups tab followed by the Push Groups button and Find groups by name option


    2. Search for the name of a previously created Okta group name. Leave the default settings, including Create Group with the same group name. Click Save when done.


  7. Map Roles. When app roles are set up and assigned to users in Okta, Fulcrum members will automatically be assigned the corresponding Fulcrum role.

    1. Go to Directory > Profile Editor > User > Apps

    2. Search for your App

    3. In Attributes click Add Attribute

      1. select Data Type ‘string’

      2. for Display name enter ‘role’

      3. for variable name enter ‘role’

      4. for external name enter ‘role’

      5. for external namespace enter ‘role’

    4. Tick the checkbox ‘Define enumerated list of values’

      1. Add the ‘Attribute members’ according to the available roles in your Fulcrum App

Troubleshooting

Managed and unmanaged users and groups

Fulcrum separates the ecosystems for managed and unmanaged users and groups.

Unmanaged users are users that are created directly in Fulcrum and are not managed by Okta. Okta is in fact unaware of these unmanaged users.

Managed users are created in Okta and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.

Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Okta. Managed groups are created and managed in Okta. Group memberships cannot be managed in Fulcrum and must be managed in Okta. Information on managing groups in Fulcrum.

One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Okta will not fetch unmanaged groups from Fulcrum. Pushing a group in Okta that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.

Other Issues

Please reach out to our support team at support@fulcrumapp.com if you have any difficulties.

Did this answer your question?