We have a new SPA application we are building using NextJS. We have it configured and OIDC is working fine between Okta and our Application. However, we want all the users of our application to be federated. For example, we have setup a SAML 2.0 IdP for our application connecting to Azure AAD.
This is working great as well. I can enter my work email and I get redirected to our corporate login. Now I want to have my application populated with all the users/groups from my tenant in Azure AAD to my application. We figured we would do this with the SCIM protocol; however, there doesn’t seem to be a Provisioning option for an application with the Sign On configuration set to OpenID Connect. From articles I have seen in the Dev Forum and other support documents I am thinking this isn’t supported.
It is ok if this isn’t possible, it may lead us to Auth0 or creating our own SCIM server. Looks like Auth0 is hoping to have inbound SCIM this year, SCIM support at Auth0 - Auth0 Community
For OIDC applications created with the Application Wizard there currently is no SCIM provisioning option. For OIDC applications that will be submitted to the OIN, these can include SCIM.
This is not much of an issue, even though OIDC apps don’t have a provisioning option you can still setup a SWA/SAML app that is only used for provisioning, or use one of the Okta SCIM 2.0 template types. You would end up with 2 apps, the OIDC app and then the other app only used for provisioning. Assigning both apps the same users would have the same desired outcome.
For Inbound SCIM, this is completely different issue. Currently Okta does not have an inbound solution, but I believe there has discussions. What most will do is setup one of the above SCIM solutions and set it up to do imports as well as push.
What most will do is setup one of the above SCIM solutions and set it up to do imports as well as push.
It doesn’t appear like Azure AAD exposes a SCIM endpoint for Okta to talk to. Azure AAD will provision/push to an external SCIM server but it doesn’t seem to expose one, so we can’t connect Okta to it.