Push Users - Users in Okta can be assigned to the Fulcrum application in Okta and will automatically be created and added as members to your Fulcrum organization.
Deactivate Users - Users in Okta that are unassigned from the Fulcrum application in Okta will be removed as members from your Fulcrum organization.
Push Membership Updates - Users in Okta can update their email, given name, and/or family name and have those changes updated in their Fulcrum organization membership.
SCIM provisioning is only supported on Fulcrum Enterprise plans with SSO and Developer Pack enabled.
Sign in as an Owner to the organization you want SCIM provisioning enabled
Create an API token to be used with the SCIM integration
Note: The API token is tied to the Fulcrum user who generated it. If that user is removed/deactivated a new one will need to be created and reconfigured in Okta.
Add the Fulcrum application
Configure Sign On settings
Configure Provisioning settings
Click on the Provisioning tab and then Integration
Click the Configure API Integration button
Make sure the Enable API Integration checkbox is checked and for the API Token field enter the Fulcrum API token that was generated during the In Fulcrum section
Click To App and then Edit, while still under the Provisioning tab
Enable Create Users, Update User Attributes, and Deactivate Users by making sure they are checked
Assign users to the Okta Fulcrum app to have them added to your organization in Fulcrum
Assign groups to the Okta Fulcrum app to have the users in that group added to your organization in Fulcrum. This step only adds members of Okta groups to Fulcrum. It does not create groups within Fulcrum. See step 6 for those instructions.
Push groups to Fulcrum. This will add groups to your organization in Fulcrum and assign the correct members to those groups in Fulcrum.
Map Roles. When app roles are set up and assigned to users in Okta, Fulcrum members will automatically be assigned the corresponding Fulcrum role.
Go to Directory > Profile Editor > User > Apps
Search for your App
In Attributes click Add Attribute
select Data Type ‘string’
for Display name enter ‘role’
for variable name enter ‘role’
for external name enter ‘role’
for external namespace enter ‘role’
Tick the checkbox ‘Define enumerated list of values’
Managed and unmanaged users and groups
Fulcrum separates the ecosystems for managed and unmanaged users and groups.
Unmanaged users are users that are created directly in Fulcrum and are not managed by Okta. Okta is in fact unaware of these unmanaged users.
Managed users are created in Okta and are created in Fulcrum via SCIM provisioning. In Fulcrum, these users will be marked as managed.
Similarly, Fulcrum also has managed and unmanaged groups. Unmanaged groups are completely internal to Fulcrum and are not visible to Okta. Managed groups are created and managed in Okta. Group memberships cannot be managed in Fulcrum and must be managed in Okta. Information on managing groups in Fulcrum.
One of the consequences of this split ecosystem is that managed and unmanaged users and groups may have the same name even though they represent different entities. Refreshing the App Groups in Okta will not fetch unmanaged groups from Fulcrum. Pushing a group in Okta that has the same name as an unmanaged group in Fulcrum will result in multiple groups with the same name in Fulcrum. This is expected behavior.
Please reach out to our support team at email@example.com if you have any difficulties.