Is publishing to the OIN required for SCIM provisioning?

Hi @praneetloke

  • Is publishing to the OIN mandatory?

SCIM provisioning can be done in two ways - through SCIM templates (available for integrator accounts) and Application Integration Wizard apps that have provisioning capabilities. For the second option, you will need to request SCIM_PROVISIONING feature for your Okta org by sending an email to support@okta.com.

OIN publishing is required if you want your customers to be able to find your application easily and integrate it in their Okta tenant. If you want to use it only for your Okta tenant, then you don’t need to submit it to Apps Team for review. If you want to have it to only a few specific customers, then you can request during submission on oinmanager.okta.com that you want the application to be private and available for only a few Okta tenants that you provide.

  • We support SAML SSO for our customers who use Okta. In some topics in this forum I read something about “merging” SAML SSO and SCIM. Does this mean a single app in Okta can be assigned to users for both single sign-on and SCIM provisioning? Can this “merging” be done with a custom app that our customer creates in their org?

To submit an application through oinmanager.okta.com, you must have a SAML integration done through Application Integration Wizard for SSO and/or a SCIM template for provisioning.

After the application passes all the reviews, then this two applications will be merged together by Apps Team and then published in OIN (with public or private visibility).

  • If using the OAuth2 authorization code grant flow for the SCIM API, the SCIM document (linked above) mentions the redirect URIs to support, but there is no mention of what other information Okta will pass in the /authorize URL, or any other details about the code exchange.

The details available here can be used for implementing the required attributes that Okta will send to your authorization server.