WACM SCIM Provisioning in Okta

System for Cross-domain Identity Management (SCIM) is an open standard that simplifies the management of user identities in cloud-based applications and services. SCIM is commonly used to automate the provisioning (creation) and de-provisioning (deletion) user accounts across different systems. This is particularly important in scenarios where a user's identity needs to be synchronized across multiple platforms. 

Users provisioned with Wasabi Account Control Management SCIM can log in to WACM only through SSO.  

SCIM Supported Features

The following features are supported for your SCIM integration:

• Create users
• Update user attributes
• Deactivate users

Setting Up SCIM Provisioning in Okta

You can use either of the following methods to configure Okta for the WACM SCIM app:

• Connecting WACM SCIM to Okta (Preconfigured), below
• Connecting WACM SCIM to Okta (Manually)

Connecting WACM SCIM to Okta (Preconfigured)

This section provides the preconfigured method for connecting the WACM SCIM app to Okta. 

Create an Okta SCIM Integration

1. Sign in to Okta with administrative credentials.
2. Click Admin in the upper-right corner of the page.
3. Click the Applications tab, then click Applications in the sidebar.
4. Click Browse App Catalog where you will select the previously configured WACM SCIM app.
5. Select All Integrations under Use Case.
6. Enter Wasabi in the Search bar, then click the Wasabi Account Control Manager SCIM application tile.
7. Click the General Settings tab, enter a name for the application, and then fill in the other required fields.
8. Click Done.

Configure SCIM Provisioning

1. Click the Provisioning tab. 
2. Under Settings in the sidebar click Integration, then click Configure API Integration.
3. Check the Enable API Integration box.
4. In the API Token field, enter the token used to access your SCIM implementation. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. See, Generate a WACM SCIM Token. 
5. Click Test API Credentials to verify the token is set up correctly.
6. Click Save.

Configure Okta Integration

1. Under the Applications tab, click the Provisioning tab on your Okta integration page. 
2. Under Settings in the sidebar, click To App.
3. Click Edit at the top right.
4. Check each Enable box to select the user provisioning options.
5. Click Save.

Map User Attributes

Attribute mapping for WACM SCIM is done automatically. Follow these steps to view Wasabi Account Control Manager Attribute Mappings.

1. Under the Applications tab, click the Provisioning tab. 
2. Under the Settings in the sidebar, Click To App.
3. Scroll down to the Attribute Mappings section to view the Wasabi Account Control Manager Attribute Mappings. 

   

Continue to the section Manage User Assignments and Roles Using Groups.

Connecting WACM SCIM to Okta (Manually)

This section provides the manual method for connecting to the WACM SCIM app to Okta.

Create an Okta SCIM Integration

1. Sign in to Okta with administrative credentials.
2. Click Admin in the upper-right corner of the page.
3. Click the Applications tab, then click Applications in the sidebar.
4. Select a version of SCIM depending on the version of SCIM supported by your server. When using only SCIM, the type of application must be SWA (Secure Web Authentication). 
5. Click Done.

Configure SCIM Provisioning

1. Under the Settings sidebar, click To App.
2. Click Edit at the top right.
3. Enable the SCIM Provisioning option to activate SCIM capabilities.
4. Click Save.

Configure Okta Integration

1. In Application Settings, click the Provisioning tab. The SCIM connection settings are displayed under Settings.
2. Select Integration in the left panel and click Edit. 

   

3. Enter the SCIM connector base URL: https://scim.wacm.wasabisys.com
4. Enter the Unique Identifier field for users on your SCIM server.
5. Under the Supported provisioning actions, choose the  provisioning actions supported by your SCIM server:
   • Import New Users and Profile Updates — Allows Okta to import new users from your platform.
   • Push New Users — Permits your platform to push new user information to Okta.
   • Push Profile Updates — Enables your platform to push updates to user profiles in Okta.
6. Choose the Authentication Mode: HTTP Header
   When adding new users to the app or to the groups that belong to the app using SCIM protocol, API calls will be made to the SCIM Server and every API call will contain the specified Authorization token.
   • Generate a token in the Account tab (found in the user's profile).
   • Use the generated token to add/update/delete a user.
7. In the HTTP Header section in the Authorization: Bearer field, enter {YOUR_AUTH_TOKEN}
   Define the HTTP Header used for authorization. This typically involves specifying the type of authorization (for example, Bearer) and providing the necessary authentication token or credentials.
8. Click Save.

Map User Attributes

Okta uses the Profile Editor to map specific user attributes from the Wasabi Account Control Manager application.

1. Go to the Applications section and select the Wasabi Account Control Manager application to customize user attributes.
2. Navigate to Provisioning, under Settings in the sidebar, then select To App.
3. Click Go To Profile Editor and locate the section displaying the selected application's user attributes.
4. Click Mappings. The mapping attributes are used to provision users with access to our platform.
   

   

5. Remove all mappings, except the following:
   • appuser.givenName
   • appuser.familyName
   • appuser.email
6. Click Save Mappings. 
7. Click Add Attribute and add the Role attribute.
8. Verify the Data type is string.
9. Enter the Display name: Role.
10. Verify the Variable name.
11. Verify the External name is role.
12. Verify the External namespace is urn:ietf:params:scim:schemas:core:2.0:user
13. Enter a Description for the role.
14. Check the Enum box Define enumerated list of values.
15. Check the Attribute required box Yes.
16. In Attribute members, click Add Another and enter the Display name and Value for all role attributes listed here:

Finally, your attributes should look like this:

Manage User Assignments and Roles Using Groups

You can manually assign an individual user to a group.

Individual User Assignment

For individual users, the role must be assigned directly to each user profile. This approach is suitable when there are specific role assignments unique to each user.

Group-Based User Assignment

• Create Groups
  Rather than assigning roles individually, create groups within your identity management platform. These groups can be named based on their roles or responsibilities (for example, Admins, Editors, etc.).
• Assign Roles to Groups
  Assign roles to the created groups. This means specifying the role attribute at the group level rather than at the individual user level.
• Group-Based Provisioning
  Users added to these groups will inherit the roles assigned to the group. This group-based approach streamlines user management, especially when multiple users share the same role.

Generate a WACM SCIM Token

1. Sign in to the Wasabi Account Control Manager application and select My Profile. The Profile page is displayed.
2. Click the Account tab.

   

3. Scroll down to the SCIM Token section. 
4. Click Generate Token. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. This is the token used in provisioning.