Skip to main content

Configure SCIM provisioning in Okta

This procedure explains how to configure system for cross-domain identity management (SCIM) provisioning between Okta and DigiCert​​®​​ account.

SCIM provisioning allows Okta to automatically create, update, and deactivate users and groups in DigiCert​​®​​ account. User access is managed through Okta groups and synced using the SCIM protocol.

SCIM provisioning and single sign-on (SSO) are configured using separate Okta applications. If you’re also using SSO, you must configure the SSO and SCIM applications independently.

Before you begin

You need elevated privileges in DigiCert account and Okta:

  • Account admin user group required in DigiCert account.

    How do I check my user group?

  • Application Administrator or equivalent role required in Okta.

Step 1: Enable SCIM provisioning in DigiCert® account

Before configuring Okta, you must enable SCIM provisioning in DigiCert® account and generate the connection details required by Okta.

  1. In DigiCert​​®​​ account, select Accounts () > Identity and access.

  2. In the User lifecycle section, select Automated user provisioning with SCIM.

  3. In the Enable users and group sync section, switch to enable SCIM provisioning.

  4. Under SCIM base URL, select Copy.

  5. Select Generate token.

    1. Select how long the token should remain valid.

    2. Select Generate token.

    3. Under Token, select Copy.

    4. Select Done.

Suggerimento

Keep the SCIM base URL and token available. You use them when configuring SCIM in Okta.

Step 2: Create and configure a SCIM application in Okta

Your SSO application in Okta can’t be used to configure SCIM, you must create a separate application for SCIM:

  1. Sign in to your Okta admin dashboard.

  2. Go to Applications > Applications.

  3. Select Create App Integration.

  4. Select Create API Integration.

  5. Select Next.

  6. Open the Provisioning tab.

  7. Select Configure API Integration.

  8. Select the checkbox Enable API integration.

  9. Finish the following fields:

    1. SCIM 2.0 Base URL

      Enter the SCIM base URL copied from DigiCert® account in Step 1.4.

    2. OAuth Bearer Token

      Enter the token generated in DigiCert® account in Step 1.5.c.

  10. Select the checkbox Import Groups.

  11. Select Test API Credentials.

    A success message confirms that the credentials were verified.

  12. Select Save.

Step 3: Enable provisioning actions

When the SCIM application for DigiCert​​®​​ account is saved, enable the following provisioning actions to allow Okta to manage the full user lifecycle in DigiCert​​®​​ account.

  1. In the Provisioning to App section, enable the following options:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

  2. Select Save.

Step 4 : Assign groups to the SCIM application

User access in DigiCert® account is managed using Okta groups.

  1. Select the Assignments tab.

  2. Select Assign > Assign to Groups.

  3. Select Assign next to the group you want to provision.

  4. Select Save and Go Back.

  5. Repeat the previous three steps for any additional groups.

  6. Select Done.

Suggerimento

If SSO is enabled for DigiCert® account, assign the same user groups to both the SSO application and the SCIM application in Entra for consistency.

Step 5: Push groups to DigiCert® account

To sync group membership:

  1. Select the Push Groups tab.

  2. Select Push Groups > Find groups by name.

  3. In the By name field, enter and select the name of the group you want to push.

  4. Select Save if you’re pushing one group, or Save and Add Another to push multiple groups.

  5. Repeat the previous two steps for any additional groups.

Suggerimento

The Push Status column should change from Pushing to Active within seconds.

Step 6: Verify provisioning in Okta

You can verify users and groups in Okta from the Assignments tab:

  1. Select People to view assigned users.

  2. Select Groups to view assigned groups.

Step 7: Verify provisioning in DigiCert® account

Users and groups you’ve assigned in step 6 should also show in your DigiCert account, if the SCIM application in Okta has a Push Status of Active:

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Users to view a consolidated list of all your users, this includes manually created users and users provisioned through SCIM.

  3. Select Groups to view a consolidated list of groups:

    1. The Managed by column displays DigiCert for default DigiCert groups.

    2. The Managed by column displays Identity provider for groups provided by your IdP.

Step 8: Assign roles to groups in DigiCert® account

Users in the IdP group are assigned the roles that you define in DigiCert account.

Attenzione

If a user was manually assigned user roles before SCIM, to prevent breaking existing workflows, these roles remain, in addition to the roles assigned to the SCIM group. To solely rely on SCIM groups for user role management, manually remove user roles.

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Groups to assign user roles:

  3. Select the name of a SCIM group.

    The Managed by column shows Identity provider for groups provided by your IdP.

  4. Select Group access.

  5. Select Update group access.

  6. In the Services field, select the checkbox next to all the DigiCert Service this user group should have access to.

  7. In the User roles section of each service, select the check box of the user roles that this user group should have.

  8. Select Assign access.

In questa sezione: