Skip to main content

Setting Up SCIM 2.0 User Provisioning with Okta

Updated
 

Subscription Required: SCIM is available on select subscription plans only. Contact Support to learn more: Send an email to Support

 

Note: For information on SCIM Deprovisioning to manage the disabling of Users, click here.

What is User Provisioning with SCIM?

SCIM is an open standard that automates user management from an IDP and a SaaS service provider, in this case, Loopio. With our SCIM implementation, you are able to automatically provision / create a Loopio user directly within the IDP.

Prerequisites

Configuring SCIM User Provisioning in Okta

 

Tip: To request a Loopio Sandbox for testing, reach out to our Support Team. Send an email to Support

 

Permissions Required: General Admin 1 (Manager) permissions or higher are required to generate a SCIM token to use in Okta. To learn more about generating SCIM tokens start here: How Do I Generate a Token for SCIM User Deprovisioning? 

  1. In Okta navigate to Applications > Applications and select Create App Integration
    Okta Create App Integration button indicated.png
  2. Select SAML 2.0 as the sign-in method and click Next
    SAML 2_0 selected.png
  3. Fill in the details for your application on the General Settings page and click Next
  4. Navigate to the Configure SAML page, then under ‘SAML Settings’ fill in the section with the values from the table below:
    Single sign-on URL https://UNIQUE_LOOPIO_DOMAIN/sso_saml/module.php/saml/sp/saml2-acs.php/loopio-sp
    SP Entity ID loopio-sp
    Default RelayState https://UNIQUE_LOOPIO_DOMAIN/home
    NameID Format Unspecified
    Application username Email
    Update application username on Create and update

     

    Note: Replace ‘UNIQUE_LOOPIO_DOMAIN’ with the domain of your Loopio instance. Learn more: What is my Company's Loopio URL?

  5. Fill out the Feedback section and click Finish
  6. After you have created your application, on your application’s details page navigate to General and check Enable SCIM provisioning then click Save
    Enable SCIM Provisioning option indicated.png
  7. On your application’s details page navigate to Provisioning > Integration and fill in the form with the values in the table below, then click Save
    SCIM Provisioning options for Provisioning users.png
    SCIM connector base URL https://api.loopio.com/scim/v2
    Unique Identifier field for users userName
    Supported provisioning actions (checked options)

    Import New Users and Profile Updates
    Push New Users
    Push Profile Updates
    Authentication Mode HTTP Header
    Authorization Your unique Bearer Token

     

    Tip: If you are testing SCIM in a Loopio Sandbox (INT01) environment, use the SCIM connector base URL https://api.int01.loopio.com/scim/v2

     

    Note: The HTTP Header Bearer token will be the SCIM token created through the Loopio Admin Integrations page. To learn more about generating SCIM tokens see our article: How Do I Generate a Token for SCIM User Deprovisioning?

  8. On your application’s details page navigate to Provisioning > To App and enable Create Users
    Okta App with Create and Update options selected.png
     

    Tip: You can optionally enable Update User Attributes to synchronize updating a user’s attributes in Loopio when they are modified in Okta. You can also choose to use SCIM to manage User deprovisioning, read more: Setting Up SCIM 2.0 User Deprovisioning with Okta

  9. Click Save

Adding and Mapping the Roles Attribute

 

Note: This guide provides common steps for adding and mapping the Roles Attribute in Okta. While the defaults work in many situations, consult the Okta documentation for any company-specific details.

If you do not already have the roles attribute set up, you will need to configure that following the steps below, or by configuring a Group Attribute.

  1. Go to the Okta Profile Editor for the Loopio App you created
  2. Click on Add Attribute
     

    Tip: Copy the "Variable Name" from your app's Profile Editor screen before clicking Add Attribute

    Add Attribute button on Profile Editor page.png

  3. Add an attribute with the values in the table below
    Add Attribute popup with values filled in.png
    Data Type String Array
    Display Name roles
    Variable Name

    Append _roles to the variable name you copied from your Loopio app
    External Name roles
    External Namespace

    Must be exactly

    urn:ietf:params:scim:schemas:core:2.0:User
    Group Priority Use Group Priority
    If prompted for User Permissions, select "Read Only"

  4. Return to the Loopio app you created and select Provisioning > To App
  5. Enable “Update User Attributes” in Provisioning Settings for the SCIM app if this has not been done already
  6. Scroll down and click Show Unmapped Attributes
    Show Unmapped Attributes.png
  7. Click the edit (pencil) icon beside the roles Attribute, and map the Attribute by linking it to an existing Attribute or giving a value, then click Save
    Attribute mapping popup.png
 

Note: Selecting "Same value for all users" will result in all users assigned to this application being given the same Role in Loopio. The Role Attribute value passed to Loopio should match an existing Role name in Loopio. Read more: How Do I Manage a Role's Permissions?

Related to

Related articles