How to Configure SCIM Provisioning using Okta

System for Cross-Domain Identity Management (SCIM) is an open standard protocol used to automate the exchange of user and group information between Identity providers and Enterprises. SCIM ensures that users added to the Identity Management System should have their accounts automatically created in VIDIZMO. User attributes and profiles are synchronized between the two systems, updating removing users based on the user status or role change.

VIDIZMO offers  a SCIM 2.0 REST API so that the pain of working with proprietary user management APIs or products can be reduced or eliminated. The knowledge of how to set up and test your application and API endpoints in order to be able to successfully deploy an OKTA integration using SCIM Provisioning is of utmost importance whether you are an independent software vendor (ISV), an existing OKTA user, or an IT systems administrator. 

Before you start

• Ensure that you belong to a group where the Management of SSO + SCIM permission is enabled to access this feature.
• Before provisioning users and groups from Okta through SCIM protocol, make sure you have an OKTA IDP account so that you can configure the General Settings and any Sign-On Options for the VIDIZMO Application in OKTA. 

Configuration Steps

VIDIZMO Configuration

Following are the steps to configure OKTA Provisioning in VIDIZMO:

In your VIDIZMO portal follow the steps to configure okta app.

1. Click on the navigation menu on top left corner.
2. Expand Admin tab select Portal Settings.

3. On Portal Settings page click on the Apps tab.
4. Click on the Provisioning and Locate the SCIM Okta App.
5. Click on the Settings icon.

6. After clicking on the Settings icon, a window will appear which offers various fields, each of which is explained below:

In order to enable the SCIM app first you need to perform the following actions:

i. Select a CAL.

Note:

• The default CAL is the CAL that will be assigned to the users by default during the time of provisioning from Okta if you have not explicitly define any CAL.
• If multiple CAL (Client Access License) types are available in your VIDIZMO portal, you can select the desired CAL type. This selection will be automatically applied to all users who log in to the VIDIZMO portal using Okta SSO.
• If all available CALs have been consumed, any new user attempting to access SCIM functionality within the portal will receive a notification indicating that no CALs are available.

ii. Click Add New Rule button if you want to configure the following option of setting rules for automatic CAL assignment specifically for user belonging to specialized groups then refer to this article How to Configure Rules for Automatic Role Assignment using SCIM 

iii. Click on Add button to generate an API key against your domain for authorization purposes. 

iv. You need to provide the expiry date to generate an API Key.

Note: The provisioning and de-provisioning management will be revoked from Okta once the expiry date limit exceeds.

v. Copy the generated API token to the clipboard and save the changes from the Save Changes button.

Note: This API Key will be used during the configuration of API Integration in Okta.

7. Enable the app by clicking on the toggle button. 

Note: A notification will appear stating "Portal Information Updated Successfully."

OKTA Configuration

Following steps will be taken in the Okta account for building a connection with VIDIZMO portal in order to implement user provisioning in VIDIZMO. In Okta search for SCIM 2.0 Test App (OAuth Bearer Token)  and complete the following configuration steps:

1. Navigate to Applications in Okta Dashboard. 
2. Click on the Browse App Catalog option.

3. Search SCIM 2.0 Test App (OAuth Bearer Token) and add it. 

4. Click Add Integration button.

5. Under General settings tab click Next.

6. Navigate to the Sign-On Options tab.

i. Complete the following fields:

• Login URL: Enter the URL (e.g., https://your-portal/login).
• ACS URI: Specify the ACS URI (e.g., https://your-portal/saml2/acs).
• Audience URI: Provide the Audience URI (e.g., https://your-portal).

ii.Click Done to save the changes.

7.  Now, In the Provisioning Tab  i. Select the Configure API Integration.

ii. Check the Enable API Integration option. iii. For Base URI follow the convention as https://YOUR-TENANT-SUBDOMAIN-HERE/api/v1/SCIM/SCIMOkta. iv. For API Token, enter the value generated in the VIDIZMO portal.  v. Click the Test API Credentials button. vi. Save the configuration if the configuration is successful. 

Note: The SCIM Provisioning is supported on portals created on sub-domains. To learn more about domain options in vidizmo, read more at Understanding Domain Options For A Portals : VIDIZMO Helpdesk

vii. Now, Select the To App option in the left hand menu in the Provisioning Tab and select the Provisioning Features that needs to be enabled.

Provisioning

User(s)

Following are the steps to manage provisioning of users in Okta that are there in your directory folder to VIDIZMO portal.

Add Users

In order to add users in the VIDIZMO portal following steps needs to be followed:

From the Assignments Tab:

1. Click on the Assign option in order to start assigning users to the SCIM 2.0 App. 
2. Select the Assign to People option and choose users from the directory to assign them.

Bulk Add

The another way to assign users to application in Okta in bulk is as follows:

1. In the Application Tab, click on Assign Users to App button.

2. Select the users that you want to assign or simply check all the users that are present in your Okta directory.

3. Select the Application name from the applications tab that you want your users to be assigned in. 

4. Click on Next to confirm the assignments. 

Edit

As SCIM provides a functionality of updating the user profile information as well so following steps should be followed to achieve this functionality:

1. In the AssignmentsTab, on the name of the user you wish to update its profile information and click on the edit button.

2. In the Edit User Assignment modal the profile information that can be edited is Email, First Name and Last Name.

3. Click Save button.

Group(s)

Following steps needs to be followed in order to provision groups in Okta to VIDIZMO Portal.

Add

In order to add groups in the vidizmo portal from Okta following steps needs to be followed:

1. Navigate to Assignment tab. Select Assign to Groups option.

Note: Assign to groups is a very important step for the all the users that are part of the pushed group to appear in the VIDIZMO Portal.

2. Search for the group that you need to assign to the SCIM 2.0 App.Click on the Assign button.

3. Click on the Save button.

Assigned groups will be displayed in the list.

Push Groups

For pushing groups to VIDIZMO Portal:

1. Navigate to the Push Groups tab in the SCIM App in OKTA. 
2. Click on Push Groups and choose the method for pushing the group to the VIDIZMO Portal.

i. If you select Find groups by name, enter the name of a group to push.

OR

ii. If you select Push groups by rule, enter a name for the rule, group name and description and create rule.

2. Now, you need to assign that pushed group in the Assignments Tab:

Edit

The groups edit supported in VIDIZMO is the name of the group as of yet. 

1. To edit a group, navigate to the Assignment tab, click the Edit button next to the group, and make the necessary changes.

De-Provisioning

In order to deactivate the users or groups from the VIDIZMO Portal following steps should be followed:

1. Navigate to the Users tab (or Groups tab for group-related actions).
2. Locate the cross icon next to the user (or group) you wish to deactivate.
3. Click the cross icon to initiate the deactivation.
4. Confirm the deactivation by clicking OK.

Limitations

• Users cannot be permanently deleted from VIDIZMO, they will be deactivated instead. A deactivated user can be reactivated. When a user is deactivated via SCIM, VIDIZMO immediately disables their membership to their account, ensuring that their access is immediately revoked. The user is treated as an anonymous user in the VIDIZMO portal. 
• Provisioned users cannot change their user profile information because they are treated as a Federated User in the VIDIZMO portal.
• Provisioning and deprovisioning can be enabled only on portals that are created under the subdomain policy. Learn more about domain options in VIDIZMO from Understanding Domain Options for a Portal.