How to configure ACS URL for an SCIM service?

goldfrapp04 · February 26, 2019, 12:29am

For a SAML-based service, a user can click on that service in his home and be redirected to a URL. This URL is set in the service’s “SAML Settings” and usually looks like “https://www.myservice.com/acs”.

What is the corresponding setting for an SCIM service? Right now if the user clicks on the SCIM service, he’ll be redirected to www.okta.com. That’s not surprising, since I as the admin didn’t configure any redirection URL.

Some thoughts:

I’m doing all this in a dev account. Am I not allowed to configure this yet?
Do I need to create a separate SAML service that should also be assigned to the user? I.e. the SCIM service manages user lifecycle on the backend and is not visible to the user. User sees the SAML service in his Okta home page, and can click on that to access the actual service.

Adam11 · March 12, 2019, 11:44pm

Did you ever find a solution here? I’m wondering the same thing:

I can create a SAML 2.0 application in Okta and connect it to my web application, but provisioning is a two step process - add the user to the app in Okta, and create the user with the same email address in the web app
I can create a SCIM application in Okta and connect it to my web application, but the SAML options don’t go far enough - there is no place to configure the ACS URL and other SAML options

Do I need to create two apps? One for SAML auth and one for SCIM provisioning? If so, is there a way to connect the two?

FWIW, OneLogin does this very well: the test app to build off of has both SAML config options and SCIM options.

Any help appreciated!

dragos · March 13, 2019, 9:32am

Hi @goldfrapp04 @Adam11

SCIM templates are created only for provisioning, not single sign-on. The details that are present under Sign On tab are purely for placeholder.

If you have a production tenant and/or you are able to create SAML 2.0 application from the Application Integration Wizard (switch from Developer Console to Classic UI in admin panel >> Applications >> Add Application >> Create New App >> Sign On method >> SAML 2.0), then please send an email to support@okta.com to request SCIM_PROVISIONING feature. This feature will give you the possibility to add provisioning to the SAML applications through SCIM 2.0.

goldfrapp04 · March 13, 2019, 7:00pm

Yes thanks @dragos ! I’ve contacted Okta support and am currently going down that route.

And @Adam11 , you can check out https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard.htm as an alternative, if you don’t need your app published in OIN.

system · January 17, 2024, 11:16pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.