Contents x
      WACM SCIM Provisioning in Okta
      • 11 Oct 2024
      • 5 Minutes to read
      • Print
      • PDF
      Contents

      WACM SCIM Provisioning in Okta

      • Updated on 11 Oct 2024
      • 5 Minutes to read
      • Print
      • PDF
      Article summary

      System for Cross-domain Identity Management (SCIM) is an open standard that simplifies the management of user identities in cloud-based applications and services. SCIM is commonly used to automate the provisioning (creation) and de-provisioning (deletion) user accounts across different systems. This is particularly important in scenarios where a user's identity needs to be synchronized across multiple platforms. 

      Users provisioned with Wasabi Account Control Management SCIM can log in to WACM only through SSO.  

      SCIM Supported Features

      The following features are supported for your SCIM integration:

      • Create users
      • Update user attributes
      • Deactivate users

      Setting Up SCIM Provisioning in Okta

      You can use either of the following methods to configure Okta for the WACM SCIM app:

      Connecting WACM SCIM to Okta (Preconfigured)

      This section provides the preconfigured method for connecting the WACM SCIM app to Okta

      Create an Okta SCIM Integration

      1. Sign in to Okta with administrative credentials.
      2. Click Admin in the upper-right corner of the page.
      3. Click the Applications tab, then click Applications in the sidebar.
      4. Click Browse App Catalog where you will select the previously configured WACM SCIM app.
      5. Select All Integrations under Use Case.
      6. Enter Wasabi in the Search bar, then click the Wasabi Account Control Manager SCIM application tile.
      7. Click the General Settings tab, enter a name for the application, and then fill in the other required fields.
      8. Click Done.

      Configure SCIM Provisioning

      1. Click the Provisioning tab. 
      2. Under Settings in the sidebar click Integration, then click Configure API Integration.
      3. Check the Enable API Integration box.
      4. In the API Token field, enter the token used to access your SCIM implementation. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. See, Generate a WACM SCIM Token
      5. Click Test API Credentials to verify the token is set up correctly.
      6. Click Save.

      Configure Okta Integration

      1. Under the Applications tab, click the Provisioning tab on your Okta integration page. 
      2. Under Settings in the sidebar, click To App.
      3. Click Edit at the top right.
      4. Check each Enable box to select the user provisioning options.
      5. Click Save.

      Map User Attributes

      Attribute mapping for WACM SCIM is done automatically. Follow these steps to view Wasabi Account Control Manager Attribute Mappings.

      1. Under the Applications tab, click the Provisioning tab. 
      2. Under the Settings in the sidebar, Click To App.
      3. Scroll down to the Attribute Mappings section to view the Wasabi Account Control Manager Attribute Mappings

      Continue to the section Manage User Assignments and Roles Using Groups.

      Connecting WACM SCIM to Okta (Manually)

      This section provides the manual method for connecting to the WACM SCIM app to Okta.

      Create an Okta SCIM Integration

      1. Sign in to Okta with administrative credentials.
      2. Click Admin in the upper-right corner of the page.
      3. Click the Applications tab, then click Applications in the sidebar.
      4. Select a version of SCIM depending on the version of SCIM supported by your server. When using only SCIM, the type of application must be SWA (Secure Web Authentication). 
      5. Click Done.

      Configure SCIM Provisioning

      1. Under the Settings sidebar, click To App.
      2. Click Edit at the top right.
      3. Enable the SCIM Provisioning option to activate SCIM capabilities.
      4. Click Save.

      Configure Okta Integration

      1. In Application Settings, click the Provisioning tab. The SCIM connection settings are displayed under Settings.
      2. Select Integration in the left panel and click Edit

      3. Enter the SCIM connector base URL: https://scim.wacm.wasabisys.com
      4. Enter the Unique Identifier field for users on your SCIM server.
      5. Under the Supported provisioning actions, choose the  provisioning actions supported by your SCIM server:
        • Import New Users and Profile Updates — Allows Okta to import new users from your platform.
        • Push New Users — Permits your platform to push new user information to Okta.
        • Push Profile Updates — Enables your platform to push updates to user profiles in Okta.
      6. Choose the Authentication Mode: HTTP Header
        When adding new users to the app or to the groups that belong to the app using SCIM protocol, API calls will be made to the SCIM Server and every API call will contain the specified Authorization token.
        • Generate a token in the Account tab (found in the user's profile).
        • Use the generated token to add/update/delete a user.
      7. In the HTTP Header section in the Authorization: Bearer field, enter {YOUR_AUTH_TOKEN}
        Define the HTTP Header used for authorization. This typically involves specifying the type of authorization (for example, Bearer) and providing the necessary authentication token or credentials.
      8. Click Save.

      Map User Attributes

      Okta uses the Profile Editor to map specific user attributes from the Wasabi Account Control Manager application.

      1. Go to the Applications section and select the Wasabi Account Control Manager application to customize user attributes.
      2. Navigate to Provisioning, under Settings in the sidebar, then select To App.
      3. Click Go To Profile Editor and locate the section displaying the selected application's user attributes.
      4. Click Mappings. The mapping attributes are used to provision users with access to our platform.

      5. Remove all mappings, except the following:
        • appuser.givenName
        • appuser.familyName
        • appuser.email
      6. Click Save Mappings. 
      7. Click Add Attribute and add the Role attribute.
      8. Verify the Data type is string.
      9. Enter the Display name: Role.
      10. Verify the Variable name.
      11. Verify the External name is role.
      12. Verify the External namespace is urn:ietf:params:scim:schemas:core:2.0:user
      13. Enter a Description for the role.
      14. Check the Enum box Define enumerated list of values.
      15. Check the Attribute required box Yes.
      16. In Attribute members, click Add Another and enter the Display name and Value for all role attributes listed here:
      Display NameValue
      Governance Plus AdminDISTRIBUTOR_PLUS_ADMIN
      Governance Plus StaffDISTRIBUTOR_PLUS_STAFF
      Governance Plus Staff (Lite)DISTRIBUTOR_PLUS_STAFF_LITE
      Governance Plus ViewerDISTRIBUTOR_PLUS_VIEWER
      Governance AdminDISTRIBUTOR_ADMIN
      Governance StaffDISTRIBUTOR_STAFF
      Governance ViewerDISTRIBUTOR_VIEWER
      Channel Account AdminCHANNEL_ACCOUNT_ADMIN
      Chanel Account StaffCHANNEL_ACCOUNT_STAFF
      Channel Account Staff (Lite)CHANNEL_ACCOUNT_STAFF_LITE
      Channel Account ViewerCHANNEL_ACCOUNT_VIEWER
      Control Account AdminRESELLER_ADMIN
      Control Account StaffRESELLER_STAFF
      Control Account Staff (Lite)RESELLER_STAFF_LITE
      Control Account ViewerRESELLER_VIEWER

      Finally, your attributes should look like this:

      Manage User Assignments and Roles Using Groups

      You can manually assign an individual user to a group.

      Individual User Assignment

      For individual users, the role must be assigned directly to each user profile. This approach is suitable when there are specific role assignments unique to each user.

      Group-Based User Assignment

      • Create Groups
        Rather than assigning roles individually, create groups within your identity management platform. These groups can be named based on their roles or responsibilities (for example, Admins, Editors, etc.).
      • Assign Roles to Groups
        Assign roles to the created groups. This means specifying the role attribute at the group level rather than at the individual user level.
      • Group-Based Provisioning
        Users added to these groups will inherit the roles assigned to the group. This group-based approach streamlines user management, especially when multiple users share the same role.

      Generate a WACM SCIM Token

      1. Sign in to the Wasabi Account Control Manager application and select My Profile. The Profile page is displayed.
      2. Click the Account tab.

      3. Scroll down to the SCIM Token section. 
      4. Click Generate Token. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. This is the token used in provisioning. 


      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com.
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.
      ESC

      Eddy AI, facilitating knowledge discovery through conversational intelligence