SCIM

Okta SCIM Setup Instructions

Provides the steps required to provision users from Okta to Sobol

Features

Sobol supports SCIM version 2.0 out of the box and provides the following features:

  • Import Users - quickly synchronize your users between Sobol and Okta

  • Create New Users - create new users in Okta and push them to Sobol

  • Profile Updates - update users in Okta and sync those updates to Sobol

  • Deactivate Users - deactivate users in Okta and reflect those changes in Sobol

  • Reactivate Users - reactivate users in Okta and follow suit in Sobol

Requirements

In order to setup SCIM provisioning between Sobol and Okta, the following are required:

1. Issuing a Sobol API key and setting up the proper permissions

2. Providing that information to configure Okta

For the above:

  • You must already be a user and hold access to Sobol

  • You must already be an admin and hold access to Okta

If for any reason you do not have the following, please contact support@sobol.io.

Configuration Steps

In Sobol

To configure a new SCIM connection in Sobol:

  1. Login into your instance of Sobol

  2. Once logged in, click the hamburger menu on the top, left corner of the screen

  3. Once the sidebar opens, click the Settings tab as show below:

  4. Once in Settings, click on the Applications tab and then on the Add New Application button

  1. Next, a permissions modal will open. Check the following permissions and hit Save:

  1. role

  2. user

  3. You can now take this Key and use it to configure your SCIM settings in Okta

In Okta

To configure a new SCIM connection in Okta:

  1. Log into your instance of Okta and click on Admin button followed by Applications tab

  2. Locate “Sobol” in your applications list and click to edit the settings

  3. Under the “Provisioning” tab, click Configure API Integration

  4. Next, check the Enable API integration box

  5. Enter the API Key that you created in Sobol

  6. Click Test API Credentials; if successful, a verification message will appear on the screen. If unsuccessful, please contact support@sobol.io.

  7. Click Save

  8. Voila! You are now able to fully control user provisioning with Okta.

Troubleshooting Tips

  1. Sobol Account: You MUST have a Sobol account in order to set up provisioning. If for any reason you do not have the following, please contact support@sobol.io.

  2. Org ID: Configuring SCIM requires the use of your tenant’s ORG_ID. To obtain one, take note at the URL when using your instance of Sobol: https://sobol.io/d/org/[ORG_ID]

  3. SCIM Endpoint: All SCIM endpoints for your tenant are housed under the following URL scheme: https://sobol.io/d/scim/v2/org/[ORG_ID].

  4. Authentication Formats: Sobol supports Header Authentication (Bearer Token) using keys available in both HS256 and RS256 JWT formats. Some services such as AzureAD require smaller, more lean keys in which case please use HS256.

  5. Supported Mappings: as of now, Sobol ONLY supports the provisioning of the following Okta attributes:

    1. First Name - firstName

    2. Last Name - lastName

    3. Email - email

  6. Username format: all users mapped across Sobol and Okta use their email to uniquely identify them.

  7. Password Sync - given that Sobol does not store passwords directly, we do not support the Password Sync SCIM feature.

  8. Groups - as of now, Sobol has no utilization for the Groups SCIM feature although this might change in the near future.

  9. HTTP Patch Support: we currently ONLY support activation and deactivation using HTTP Patch.

  10. Email Type - we currently do not support the `emailType` attribute and default this value to “work” as part of our SCIM responses.

Last updated