Do I need to change my OIDC SSO to SAML to support SCIM?

I have successfully implemented support for SSO by OIDC, using the okta libraries for React. Following the docs here

Now, this saas app that I am working with, will also support SCIM so that has been implemented as well by following the docs here

From the intro of the SCIM docs:

Your Okta integration should use Single Sign-On (SSO) to initiate end-user authentication. Learn how to set up your integration with SSO in our Build a Single Sign-On (SSO) integration guide.

I assumed that I already had implemented support for that, but reading more closely it seems to not support OIDC SSO, is that correct? Do I need to change my OIDC implementation to SAML to get this to work? And in that case, do I need to remove the react libraries that Okta provides, as I also guess that those only support OIDC? Why is Okta recommending to use OIDC in the first place, without mentioning limitations as this?

Hello,
If you are building an application for the Okta Integration Network (OIN), both OIDC and SCIM are supported.
As you go through the various pages, Prepare Your Integration, Create your Integration, etc make sure that in the Instruction For dropdown you choose OIDC.

I am not sure what OIN is. But I am building an integration for SCIM, following this: Build a SCIM provisioning integration overview | Okta Developer

And I wonder if my application does already meet this criteria or not:

Your Okta integration should use Single Sign-On (SSO) to initiate end-user authentication. Learn how to set up your integration with SSO in our Build a Single Sign-On (SSO) integration guide.

given that I already have implemented this: Sign users in to your SPA using the redirect model | Okta Developer using the OIDC alternative.

I am not sure that your answer made it any more obvious to me.

Hi @generti! Are you looking to submit your application to our Okta Integration Network (our apps marketplace) for ALL Okta users to use - https://oinmanager.okta.com/.

Yes I guess so. I want end users of the saas application I work on to be able to use this integration, so I guess that it has to be supplied to OIN then?

I think I am a bit confused by step 7 in this doc: Connect your SCIM service with a new Okta integration | Okta Developer I can select SAML or SWA, but as described earlier I am using OIDC, how should I choose here?

Apologies for the confusion, we’ll need to update our docs specifically on that step, but for now please choose SAML without configuring for it and proceed with your SCIM server setup. Upon submission, you can submit your OIDC and SCIM app separately and from there, our team will merge the two apps into one before publishing it to the OIN.

Alright, thanks!

So when I have the OIDC and SCIM integrations ready, is there any connection between the two? Or is it assumed that my application takes care of, for instance, only allowing existing users (which has been added through SCIM) to be able to login with OIDC?

I guess that in the settings of the OIDC setup at Okta I can allow all users to login. And then in my application, after the user has been signed in with OIDC, I check whether the user actually exist in the application or not. If it does, it is allowed to proceed.

@generti right, two separate integration one to provision users and one to sso/sign-in users. They are connected in a sense via Okta when you assign the provisioned users to the app.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.