Set Up SCIM Integration in Okta

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Available from release 2021.3

You can enable SCIM for an application integration on an existing SAML application integration. Perform the configuration in Okta after enabling SCIM on the Alation server. This will give you the ability to test connection between the Alation server and Okta using the service account credentials you set up on the Alation side.

The configuration described below is based on Add SCIM provisioning to app integrations in Okta documentation.

Prerequisite

You have a fully-configured SAML application integration in Okta that is used for user authentication with SAML on the Alation server.

Configuration Steps

  1. In Okta admin console > Applications, open the page of your SAML application integration. App Settings should be available on the General tab.

  2. Click Edit for General > App Settings. This will enable editing of the application configuration.

  3. Under Provisioning, select SCIM.

  4. Click Save for this block of settings. After you save, the tab Provisioning will appear in the application configuration.

    ../../../_images/OktaSCIM_01.png

  5. Click the Provisioning tab. Under the Settings menu on the left, select Integration.

    ../../../_images/OktaSCIM_02.png

  6. Click Edit and under SCIM Connection, fill in the following information:

    Settings

    Values

    Recommendations

    SCIM connector base URL

    https://<base_Alation_URL>/scim/v2/

    The value for the SCIM endpoint on the Alation server

    Unique identifier field for users

    userName

    Alation expects the value userName

    Supported provisioning actions

    Select checkboxes for:

    • Push New Users

    • Push Profile Updates

    • Push Groups

    Do not select the option Import New Users and Profile Updates. Alation does not support import to the IdP

    Authentication Mode

    • Basic Auth

    • HTTP Header (from version 2021.4)

    • Select Basic Auth to use basic authentication with username and password

    • Select HTTP Header to use token authentication.

    See Authentication Mode

  7. Click Test Connector Configuration to test if SCIM connection is successful.

  8. Save.

  9. Back on the settings > Provisioning tab, two new options should become available in the Settings menu on the left: To App and To Okta. Select To App and click Edit.

  10. Enable the following options under To App:

    • Create Users

    • Update User Attributes

    • Deactivate Users Provisioning

    Do not select Sync Password as it is not supported by Alation.

    ../../../_images/OktaSCIM_03.png

  11. Save.

  12. Click the Push Groups tab in the upper row of tabs. Create or link groups that you wish to be pushed to Alation. Groups should be consistent with assignments in the SAML settings.

  13. Push the Groups.

  14. Log in to Alation and make sure the Groups and their members are now in Alation. See Testing SCIM Configuration.

Authentication Mode

If you have selected Basic Auth, provide the username and password:

  • Username: Specify the username of the SCIM service account you created when configuring SCIM integration on the Alation server

  • Password: Specify the password of the SCIM service account you created when configuring SCIM integration on the Alation server

../../../_images/OktaSCIM_09.png

If you have selected HTTP Header, provide the access token you created on the Alation server:

  • Bearer: Provide the authorization token value

../../../_images/OktaSCIM_10.png