Skip to main content

Configure SCIM provisioning in Okta

This procedure explains how to configure System for Cross-domain Identity Management (SCIM) provisioning between Okta and DigiCert​​®​​ account.

SCIM provisioning allows Okta to automatically create, update, and deactivate users and groups in DigiCert​​®​​ account. User access is managed through Okta groups and synchronized using the SCIM protocol.

SCIM provisioning and single sign-on (SSO) are configured using separate Okta applications. If you are also using SSO, you must configure the SSO and SCIM applications independently.

Before you begin

You need elevated privileges in DigiCert account and Okta:

  • Account admin user group required in DigiCert account.

    How do I check my user group?

  • Application Administrator or equivalent role required in Okta.

Step 1: Enable SCIM provisioning in DigiCert® account

Before configuring Okta, you must enable SCIM provisioning in DigiCert® account and generate the connection details required by Okta.

  1. In DigiCert​​®​​ account, select Accounts () > Identity and access.

  2. In the User lifecycle section, select Automated user provisioning with SCIM.

  3. In the Enable users and group sync section, switch to enable SCIM provisioning.

  4. Under SCIM base URL, select Copy.

  5. Select Generate token.

    1. Select how long the token should remain valid.

    2. Select Generate token.

    3. Under Token, select Copy.

    4. Select Done.

Tip

Keep the SCIM base URL and token available. You will use them when configuring SCIM in Okta.

Step 2: Create and configure a SCIM application in Okta

Your SSO application in Okta cannot be used to configure SCIM, you must create a separate application for SCIM:

  1. Sign in to your Okta admin dashboard.

  2. Go to Applications > Applications.

  3. Select Create App Integration.

  4. Select Create API Integration.

  5. Select Next.

  6. Open the Provisioning tab.

  7. Select Configure API Integration.

  8. Select the checkbox Enable API integration.

  9. Complete the following fields:

    1. SCIM 2.0 Base URL

      Paste the SCIM base URL copied from DigiCert® account in Step 1.4.

    2. OAuth Bearer Token

      Paste the token generated in DigiCert® account in Step 1.5.c.

  10. Select the checkbox Import Groups.

  11. Select Test API Credentials.

    A success message confirms that the credentials were verified.

  12. Select Save.

Step 3: Enable provisioning actions

Once the SCIM application for DigiCert​​®​​ account is saved, enable the following provisioning actions to allow Okta to manage the full user lifecycle in DigiCert​​®​​ account.

  1. In the Provisioning to App section, enable the following options:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

  2. Select Save.

Step 4 : Assign groups to the SCIM application

User access in DigiCert® account is managed using Okta groups.

  1. Select the Assignments tab.

  2. Select Assign > Assign to Groups.

  3. Select Assign next to the group you want to provision.

  4. Select Save and Go Back.

  5. Repeat the previous three steps for any additional groups.

  6. Select Done.

Tip

If SSO is enabled for DigiCert® account, assign the same user groups to both the SSO application and the SCIM application in Okta to keep access consistent.

Step 5: Push groups to DigiCert® account

To synchronize group membership:

  1. Select the Push Groups tab.

  2. Select Push Groups > Find groups by name.

  3. In the By name field, enter and select the name of the group you want to push.

  4. Select Save if you are pushing one group, or Save and Add Another to push multiple groups.

  5. Repeat the previous two steps for any additional groups.

Tip

The Push Status column should change from Pushing to Active within seconds.

Step 6: Verify provisioning in Okta

You can verify users and groups in Okta from the Assignments tab:

  1. Select People to view assigned users.

  2. Select Groups to view assigned groups.

Step 7: Verify provisioning in DigiCert® account

The people and groups you have identified in step 6 should also show in your DigiCert account, provided that the SCIM application in Okta has a Push Status of Active:

  1. In DigiCert​​®​​ account, select Access ().

  2. Select Users to view a consolidated list of all your users, this includes manually created users and users provisioned through SCIM.

  3. Select Groups to view a consolidated list of groups:

    1. The Source column displays Platform for default DigiCert groups.

    2. The Source column displays SCIM for groups provided by your IdP.

In deze sectie: