Is publishing to the OIN required for SCIM provisioning?

#1

Hi, I read through the documentation at https://www.okta.com/integrate/documentation/scim. Some things are not clear to me. I searched for SCIM topics on the forum and got some questions answered. However, could you please help clarify the following?

  • Is publishing to the OIN mandatory?
  • We support SAML SSO for our customers who use Okta. In some topics in this forum I read something about “merging” SAML SSO and SCIM. Does this mean a single app in Okta can be assigned to users for both single sign-on and SCIM provisioning? Can this “merging” be done with a custom app that our customer creates in their org?
  • If using the OAuth2 authorization code grant flow for the SCIM API, the SCIM document (linked above) mentions the redirect URIs to support, but there is no mention of what other information Okta will pass in the /authorize URL, or any other details about the code exchange.

Thanks in advance!

#2

Hi @praneetloke

  • Is publishing to the OIN mandatory?

SCIM provisioning can be done in two ways - through SCIM templates (available for integrator accounts) and Application Integration Wizard apps that have provisioning capabilities. For the second option, you will need to request SCIM_PROVISIONING feature for your Okta org by sending an email to support@okta.com.

OIN publishing is required if you want your customers to be able to find your application easily and integrate it in their Okta tenant. If you want to use it only for your Okta tenant, then you don’t need to submit it to Apps Team for review. If you want to have it to only a few specific customers, then you can request during submission on oinmanager.okta.com that you want the application to be private and available for only a few Okta tenants that you provide.

  • We support SAML SSO for our customers who use Okta. In some topics in this forum I read something about “merging” SAML SSO and SCIM. Does this mean a single app in Okta can be assigned to users for both single sign-on and SCIM provisioning? Can this “merging” be done with a custom app that our customer creates in their org?

To submit an application through oinmanager.okta.com, you must have a SAML integration done through Application Integration Wizard for SSO and/or a SCIM template for provisioning.

After the application passes all the reviews, then this two applications will be merged together by Apps Team and then published in OIN (with public or private visibility).

  • If using the OAuth2 authorization code grant flow for the SCIM API, the SCIM document (linked above) mentions the redirect URIs to support, but there is no mention of what other information Okta will pass in the /authorize URL, or any other details about the code exchange.

The details available here can be used for implementing the required attributes that Okta will send to your authorization server.

#3

Hi @dragos, thanks for the reply!

For the second option, you will need to request SCIM_PROVISIONING feature for your Okta org by sending an email to support@okta.com.

Is the feature hidden because it is in preview. When will this become GA?

To submit an application through oinmanager.okta.com, you must have a SAML integration done through Application Integration Wizard for SSO and/or a SCIM template for provisioning.

Is the goal for creating a SCIM template app, to test it through RunScope? Could a SAML w/ SCIM provisioning app created through the Application Integration Wizard be submitted to the OIN as well? If I create the app through AIN, should I still create a SCIM template app before publishing to the OIN?

The details available here can be used for implementing the required attributes that Okta will send to your authorization server.

Thanks for the link, but that link talks about the Authorization Code Flow for apps that use Okta as the authorization server. This doesn’t seem like it would apply to the scenario when Okta would actually call the service that hosts the SCIM API?

#4

Hi @praneetloke

The SCIM_PROVISIONING feature is currently in GA, however it’s not deployed automatically to customer tenants. You can request it through a support ticket.

Unfortunately, SAML applications that have SCIM provisioning feature enabled can not be used for integrating the application in OIN manager. You would need to have a separate SCIM template in order for the application to be integrated.

The call is identical. We do not have yet a public documentation on this calls, however, when submitting the application to OIN manager, you can ask the Apps Team for further details and they will be able to provide.

#5

Hi @dragos, I am getting a much better picture of SCIM integration with Okta. So, thank you!

The SCIM_PROVISIONING feature is currently in GA, however it’s not deployed automatically to customer tenants. You can request it through a support ticket.

Are there restrictions on the type of tenant that this SCIM_PROVISIONING feature can be enabled for? Basically, available to all tenants by request?

I came across this repo’s README, which has a section about what is not supported in Okta’s SCIM implementation. It appears that the /Schemas and the /ServiceProviderConfig endpoints were not supported at the time of writing, but were mentioned as being planned. Are these supported now? It also seems that querying by a POST request to the /Users endpoint is not supported either. Is there any plan to support this, and if so, when might it be available?

#6

Hi @praneetloke

There are no restrictions for the type of tenants on which SCIM_PROVISIONING feature can be enabled.

The endpoints /Schemas and /ServiceProviderConfig are not supported yet.
Regarding POST on /Users, please suggest this as a feature request by going to our community portal support.okta.com >> Product >> Ideas.