---
title: "WACM SCIM Provisioning in Okta"
slug: "wacm-scim-provisioning-in-okta"
tags: ["Provisioning", "SCIM", "SCIM provisioning in Okta", "WACM SCIM provisioning"]
updated: 2026-01-30T18:34:41Z
published: 2026-01-30T18:34:41Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WACM SCIM Provisioning in Okta

System for Cross-domain Identity Management (SCIM) is an open standard that simplifies the management of user identities in cloud-based applications and services. SCIM is commonly used to automate the provisioning (creation) and de-provisioning (deletion) user accounts across different systems. This is particularly important in scenarios where a user's identity needs to be synchronized across multiple platforms.

Users provisioned with Wasabi Account Control Management SCIM can log in to WACM only through SSO.

## SCIM Supported Features

The following features are supported for your SCIM integration:

- Create users
- Update user attributes
- Deactivate users

## Setting Up SCIM Provisioning in Okta

You can use either of the following methods to configure Okta for the WACM SCIM app:

- Connecting WACM SCIM to Okta (Preconfigured), below
- [Connecting WACM SCIM to Okta (Manually)](/v1/docs/wacm-scim-provisioning-in-okta#connecting-wacm-scim-to-okta-manually)

## Connecting WACM SCIM to Okta (Preconfigured)

This section provides the preconfigured method for connecting the WACM SCIM app to Okta.

### Create an Okta SCIM Integration

1. Sign in to Okta with administrative credentials.
2. Click **Admin** in the upper-right corner of the page.
3. Click the **Applications** tab, then click **Applications** in the sidebar.
4. Click **Browse App Catalog** where you will select the previously configured WACM SCIM app.
5. Select **All Integrations** under Use Case.
6. Enter **Wasabi**in the Search bar, then click the **Wasabi Account Control Manager** SCIM application tile.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724178445649.png)
7. Click the **General Settings** tab, enter a name for the application, and then fill in the other required fields.
8. Click **Done**.

### Configure SCIM Provisioning

1. Click the **Provisioning** tab.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724180953081.png)
2. Under Settings****in the sidebar click **Integration,** then click **Configure API Integration**.
3. Check the **Enable API Integration** box.
4. In the API Token****field, enter the token used to access your SCIM implementation. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. See [Generate a WACM SCIM Token](/v1/docs/wacm-scim-provisioning-in-okta#generate-a-wacm-scim-token).
5. Click **Test API Credentials** to verify that the token is set up correctly.
6. Click **Save**.

### Configure Okta Integration

1. Under the Applications tab, click the **Provisioning**tab on your Okta integration page.
2. Under Settings in the sidebar, click **To App.**
3. Click **Edit**at the top right**.**
4. Check each **Enable**box to select the user provisioning options.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724248853727.png)
5. Click **Save**.

### Map User Attributes

Attribute mapping for WACM SCIM is done automatically. Follow these steps to view Wasabi Account Control Manager Attribute Mappings.

1. Under the Applications tab, click the **Provisioning**tab.
2. Under the Settings in the sidebar, Click **To App**.
3. Scroll down to the Attribute Mappings section to view the **W**asabi Account Control Manager Attribute Mappings.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1728653619711.png)

Continue to the section [Manage User Assignments and Roles Using Groups](/v1/docs/wacm-scim-provisioning-in-okta#manage-user-assignments-and-roles-using-groups).

## Connecting WACM SCIM to Okta (Manually)

This section provides the manual method for connecting to the WACM SCIM app to Okta.

### Create an Okta SCIM Integration

1. Sign in to Okta with administrative credentials.
2. Click **Admin** in the upper-right corner of the page.
3. Click the **Applications** tab, then click **Applications** in the sidebar.
4. Select a version of **SCIM** depending on the version of SCIM supported by your server. When using only SCIM, the type of application must be SWA (Secure Web Authentication).
5. Click **Done**.

### Configure SCIM Provisioning

1. Under the Settings****sidebar, click **To App**.
2. Click **Edit** at the top right.
3. Enable the **SCIM Provisioning** option to activate SCIM capabilities.
4. Click **Save**.

### Configure Okta Integration

1. In Application Setting**s**, click the **Provisioning** tab. The SCIM connection settings are displayed under Settings.
2. Select **Integration**in the left panel and click **Edit**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724698522738.png)
3. Enter the **SCIM connector base URL**: [https://scim.wacm.wasabisys.com](https://scim.wacm.wasabisys.com)
4. Enter the **Unique Identifier field for users** on your SCIM server.
5. Under the **Supported provisioning actions,**choose the provisioning actions supported by your SCIM server:
  - Import New Users and Profile Updates—Allows Okta to import new users from your platform.
  - Push New Users—Permits your platform to push new user information to Okta.
  - Push Profile Updates—Enables your platform to push updates to user profiles in Okta.
6. Choose the **Authentication Mode**: **HTTP Header** When adding new users to the app or to the groups that belong to the app using SCIM protocol, API calls will be made to the SCIM Server and every API call will contain the specified Authorization token.
  - Generate a token in the Account tab (found in the user's profile).
  - Use the generated token to add/update/delete a user.
7. In the HTTP Header section in the**Authorization: Bearer**field, enter {YOUR_AUTH_TOKEN} Define the HTTP Header used for authorization. This typically involves specifying the type of authorization (for example, Bearer) and providing the necessary authentication token or credentials.
8. Click **Save**.

### Map User Attributes

Okta uses the Profile Editor to map specific user attributes from the Wasabi Account Control Manager application.

1. Go to the Applications section and select the **Wasabi Account Control Manager** application to customize user attributes.
2. Navigate to Provisionin**g**, under Settings in the sidebar, then select **To App**.
3. Click **Go To Profile Editor** and locate the section displaying the selected application's user attributes.
4. Click **Mappings**. The mapping attributes are used to provision users with access to our platform.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1728652221934.png)
5. Remove all mappings, except****the following:
  - appuser.givenName
  - appuser.familyName
  - appuser.email
6. Click **Save Mappings.**
7. Click **Add Attribute** and add the **Role** attribute.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1709242820642.png)
8. Verify the **Data type** is **string**.
9. Enter the **Display name**: Role.
10. Verify the **Variable name**.
11. Verify the **External name**is **role**.
12. Verify the **External namespace** is **urn:ietf:params:scim:schemas:core:2.0:user**
13. Enter a **Description** for the role.
14. Check the **Enum** box **Define enumerated list of values.**
15. Check the **Attribute required**box **Yes.**
16. In **Attribute members**, click **Add Another** and enter the **Display name** and **Value**for all role attributes listed here:

| Display Name | Value |
| --- | --- |
| Governance Plus Admin | DISTRIBUTOR_PLUS_ADMIN |
| Governance Plus Staff | DISTRIBUTOR_PLUS_STAFF |
| Governance Plus Staff (Lite) | DISTRIBUTOR_PLUS_STAFF_LITE |
| Governance Plus Viewer | DISTRIBUTOR_PLUS_VIEWER |
| Governance Admin | DISTRIBUTOR_ADMIN |
| Governance Staff | DISTRIBUTOR_STAFF |
| Governance Viewer | DISTRIBUTOR_VIEWER |
| Channel Account Admin | CHANNEL_ACCOUNT_ADMIN |
| Chanel Account Staff | CHANNEL_ACCOUNT_STAFF |
| Channel Account Staff (Lite) | CHANNEL_ACCOUNT_STAFF_LITE |
| Channel Account Viewer | CHANNEL_ACCOUNT_VIEWER |
| Control Account Admin | RESELLER_ADMIN |
| Control Account Staff | RESELLER_STAFF |
| Control Account Staff (Lite) | RESELLER_STAFF_LITE |
| Control Account Viewer | RESELLER_VIEWER |

Finally, your attributes should look like this:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724777742786.png)

## Manage User Assignments and Roles Using Groups

You can manually assign an individual user to a group.

#### Individual User Assignment

For individual users, the role must be assigned directly to each user profile. This approach is suitable when there are specific role assignments unique to each user.

#### Group-Based User Assignment

- Create Groups—Rather than assigning roles individually, create groups within your identity management platform. These groups can be named based on their roles or responsibilities (for example, Admins, Editors, and so on).
- Assign Roles to Groups—Assign roles to the created groups. This means specifying the role attribute at the group level rather than at the individual user level.
- Group-Based Provisioning—Users added to these groups will inherit the roles assigned to the group. This group-based approach streamlines user management, especially when multiple users share the same role.

## Generate a WACM SCIM Token

1. Sign in to the Wasabi Account Control Manager application and select **My Profile**. The Profile page is displayed.
2. Click the **Account** tab.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1728670837578.png)
3. Scroll down to the SCIM Token section.
4. Click **Generate Token**. Based on this token, WACM will create new users originating from the SCIM app for the appropriate accounts. This is the token used in provisioning.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1724182681616.png)