Skip to main content

Setting Up SCIM 2.0 User Deprovisioning with Okta

Updated
 

Subscription Required: SCIM is available on select subscription plans only. Contact Support to learn more: Send an email to Support

 

Note: For information on SCIM Provisioning to create and manage new Users, click here.

What is User Deprovisioning with SCIM?

SCIM is an open standard that automates user management from an IDP and a SaaS service provider, in this case, Loopio. With our SCIM implementation, you are able to automatically deprovision / disable an existing Loopio user directly within the IDP.

Prerequisites

Configuring SCIM User Deprovisioning in Okta

 

Tip: To request a Loopio Sandbox for testing, reach out to our Support Team. Send an email to Support

 

Permissions Required: The General Admin: Manage Integrations permission is required to generate a SCIM token to use in Okta. To learn more about generating SCIM tokens start here: How Do I Generate a Token for SCIM User Deprovisioning? 

  1. In Okta navigate to Applications > Applications and select Create App Integration
    Okta Create App Integration button indicated.png
  2. Select SAML 2.0 as the sign-in method and click Next
    SAML 2_0 selected.png
  3. Fill in the details for your application on the General Settings page and click Next
  4. Navigate to the Configure SAML page, then under ‘SAML Settings’ fill in the section with the values from the table below:
    Single sign-on URL https://LOOPIO_URL/sso_saml/module.php/saml/sp/saml2-acs.php/loopio-sp
    SP Entity ID loopio-sp
    Default RelayState https://LOOPIO_URL/home
    NameID Format Unspecified
    Application username Email
    Update application username on Create and update

     

    Note: Replace ‘LOOPIO_URL’ with the domain of your Loopio instance. Learn more: What is my Company's Loopio URL?

  5. Fill out the Feedback section and click Finish
  6. After you have created your application, on your application’s details page navigate to General and check Enable SCIM provisioning then click Save
    Enable SCIM Provisioning option indicated.png
  7. On your application’s details page navigate to Provisioning > Integration and fill in the form with the values in the table below.  Click Save.
    SCIM Provisioning options for Provisioning users.png
    SCIM connector base URL https://api.loopio.com/scim/v2
    Unique Identifier field for users userName
    Supported provisioning actions (checked options)

    Import New Users and Profile Updates
    Push Profile Updates
    Authentication Mode HTTP Header
    Authorization Your unique Bearer Token

     

    Tip: If you are testing SCIM in a Loopio Sandbox (INT01) environment, use the SCIM connector base URL https://api.int01.loopio.com/scim/v2

     

    Note: The HTTP Header Bearer token will be the SCIM token created through the Loopio Admin Integrations page. To learn more about generating SCIM tokens see our article: How Do I Generate a Token for SCIM User Deprovisioning?

  8. On your application’s details page navigate to Provisioning > To App and enable Deactivate Users. This will simultaneously disable users in Loopio when they are unassigned from your application in Okta or when their account is deactivated in Okta. Click Save.
    Deactivate Users Option Enabled.png
     

    Tip: You can optionally enable Update User Attributes to synchronize updating a user’s attributes in Loopio when they are modified in Okta. You can also choose to use SCIM to manage User provisioning, read more: Setting Up SCIM 2.0 User Provisioning with Okta

Importing and Assigning Users in Okta

  1. On your application’s details page navigate to Import and click Import Now. You should now see a list of your Loopio users on the page
    User Import Option.png
  2. After your users are imported, confirm their assignment to your application by checking the checkbox beside their name. You can do this individually on each user’s import card or in bulk by checking the checkbox next to Okta User Assignment. After you have made your selections click Confirm Assignments
    Confirm Assignments button indicated.png
    Note that if there is no existing match of an imported Loopio user to a user in your Okta directory, a new Okta user will be assigned to the Loopio user when they are imported. The new Okta user will have a status of Staged and can be activated by finding the user in Directory > People and clicking Activate on that user.
     

    Note: If you do not see Loopio users appearing above, ensure that your user’s Okta username matches their Loopio email address, as this is what is used to modify the user in Loopio.

  3. Your users have now been assigned to your application and you can view them by navigating to Assignments and clicking on People in the filters list

Unassigning a User in Okta

  1. On your application’s details page navigate to Assignments. Ensure the filter is set to People
    assignments.png
  2. Find the person you want to unassign, and click the X next to their name. This will unassign them from your application in Okta and simultaneously disable their account in Loopio
     

    Tip: If the Assignment type is Group, you will need to remove the user from the relevant group that is assigned Loopio access. [External - Okta reference] Remove people from a group

Reassigning a User in Okta

  1. On your application’s details page navigate to Assignments
  2. Click Assign to open the dropdown and then Assign to People
    assign
  3. Find the user you want to assign and click Assign next to their name, then Save and Go Back.
  4. Repeat this for all the users you want to assign and then click Done. The user will now be reassigned to your application in Okta and reenabled in Loopio

Related to

Related articles