Skip to main content
Skip table of contents

SCIM - Identify Management with Okta

Overview

SCIM (System for Cross-domain Identity Management) is an open standard protocol designed to simplify the process of managing user identities and groups across multiple domains, systems, and applications.

The IPscape SCIM with Okta solution provides a standardised way to perform key identity-related operations such as user provisioning, de-provisioning, and managing user attributes, group memberships, and roles.

Advantages of SCIM

  • Simplifies User Management: SCIM streamlines identity management by providing a common protocol, eliminating the need to build custom connectors for each application.

  • Improves Security: Automating provisioning and de-provisioning processes ensures that access is immediately granted or revoked as necessary, reducing security risks from inactive accounts.

  • Scalability: SCIM is ideal for large organizations with complex identity needs, as it allows for scalable and consistent management of users across systems.

  • Interoperability: As an open standard, SCIM is widely adopted and supported by many identity providers and applications, ensuring seamless integration.


1. Prerequisites

To set up the link between IPscape and Okta, the following will be required:

  • Access to the IPscape Workspace Administration module.

  • OKTA administration knowledge and access


2. Okta SCIM Configuration

Below are the instructions on how to set up OKTA for IPscape:

  • Sign into your Okta account as an Administrator

image-20241022-231824-20241121-035600.png

  • Select the “Admin” option located at the top right-hand side of the browser screen

    image-20241121-041316.png

  • In the side menu bar select Applications followed by Applications

image-20241022-232024-20241121-041034.png
  • Select Browse App Catalog

    image-20241121-041602.png

    • In the search bar, search for “SCIM 2.0”, You will see three Applications available for selection

      • Basic Auth

      • Header Auth

      • OAuth Bearer Token

It is recommended to select the “Basic Auth” or “OAuth Bearer Token”:

image-20241121-041806.png
  • Once selected, click Add Integration - This should only take a few seconds

    image-20241121-041922.png

  • In the General Settings tab,

    1. Provide a Name for your SCIM app, e.g. “SCIM IPscape”

    2. Enable “Automatically log in when user lands on login page”

    3. Click Next

image-20241121-042206.png
  • In the Sign-On Options tab

    • Select either SAML 2.0 [1] or Secure Web Authentication [2] (Secure Web Authentication is recommended)

    • Click Save.

image-20241121-042505.png

3. IPscape Workspace SCIM Configuration

  • Under the Administration menu in the IPscape Workspace, open the “Organisation settings” module and select the “Login and Security” tab.

  • Under Identity Management (SCIM) select the tick box next to Enable

  • Select Create to setup authentication between SCIM and the IPscape Workspace

    image-20241121-044341.png

  • In “Create Authentication”, select an Authentication Method; Basic Authentication or Bearer token.
    Bearer Token is recommended

  • Basic Authentication:

    • Name / Title

    • Username

    • Password.

image-20241121-043759.png
  • Bearer Token:

    • Name

    • Copy the URL link and Token

    • Expiry date

Ensure to keep a copy of the URL link and token in a secure location as the token will only be displayed a single time when it is created.

image-20241121-045710.png

A single tenant is only capable of making a maximum of two profiles.

Each profile must be of the same “Authentication Type”.


4. Provisioning Workspace Authentication in OKTA

  • In the OKTA Applications menu, select Applications and click on the newly created SCIM Application

    image-20241121-051218.png

  • Select the “Provisioning” tab, then from the side menu in the app select “Integration”. This is where you will select Enable API Integration and enter the URL and Token saved earlier for the Bearer Token Authentication.
    Then Press Test API Credentials and Save.

    image-20241121-051339.png

Provisioning the SCIM APP

  1. While still in the provisioning Tab, select the “To App” option and then select Enable for all options and press save.

image-20241210-230847.png

  1. While still in the provisioning Tab, select the “To Okta” option. Changes here are only recommended for experienced Okta Admin personnel and made if required. Otherwise, nothing changes.

image-20241210-231027.png

5. Adding Attributes and Mapping IPscape User, Agent and Teams Fields

There are 2 ways to implement the additional IPscape Mapping fields to Okta:

Manually – This method will take longer however ensures that all the fields are added without any disruption

Via API – This method is faster, however it is recommended that it be completed by an Okta Administrator with API expertise


Manual Field Mapping

Below is the manual method of adding Fields to Okta and the SCIM app:

  1. In Okta under the Directory Menu select the “Profile Editor” Module. Then select the User Default SCIM app

    image-20241210-231301.png
  2. Select the “+Add Attributes”  option

    image-20241210-231335.png
  3. Once selected you will see the below Screen with multiple fields to fill in

    image-20241210-231346.png

Field

Description

Data Type

All of the IPscape fields are String, leave as is

Display Name

This is the name of the Field e.g. Agent Username, Agent CLI

Variable Name

This is the field name in camel case e.g. agentUsername, agentCli

Description

Optional

Enum

This is used for fields that have multiple choices, e.g. Agent Connection Method would have multiple options. See the example below:

image-20241210-231705.png

Restriction

Optional (not recommended)

Attribute Length

This is if there is a character limit to the value

Attribute Required

Optional (not recommended)

User Permission

Hide is recommended

For a full data dictionary of all the IPscape Fields advising of what is required for all fields, please reach out to IPscape Support

  1. Once all of the IPscape Fields are added to the Default SCIM App, you will now need to do the same to the SCIM App created:

image-20241210-231820.png

Field

Description

External Name

This will populate itself

External Namespace

This will relate to one of the below schemas you will see how these are mapped to the Fields in following link:

  • Okta User only Fields: urn:ietf:params:scim:schemas:core:2.0:User

  • Mutual Fields: urn:ietf:params:scim:schemas:extension:ipscape:1.0:Base

  • User Only Fields: urn:ietf:params:scim:schemas:extension:ipscape:1.0:UserExtra

  • Agent Only Fields: urn:ietf:params:scim:schemas:extension:ipscape:1.0:Agent

Attribute Type

Select Personal for all.

  1. Once all the fields have been added to the SCIM App you can now select “Mappings” while still in the SCIM App.

image-20241210-232429.png
  1. In the Mapping screen you should see “<your SCIM App Name> to Okta User” and “Okta User to <your SCIM App Name>”.
    Under  “<your SCIM App Name> to Okta User” you should see all of the IPscape Fields created on the right-hand side.

image-20241210-232453.png

You will see all of the fields next to them on the left side saying “Choose an Attribute or enter in an Expression” - Enter the field to match like shown below and then press “Save Mappings

image-20241210-232622.png

Once complete, select “Okta User to <your SCIM App Name>” and run the same process then press “Save Mappings

Field Mapping by API

Please reach out to the IPscape Support team for further information on mapping via API

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.