Okta SCIM: Provision Opal Users

📘
For most use cases, you probably don't need to use Okta SCIM provisioning.
Okta SCIM provisioning is useful if you cannot wait for the hourly or a manual sync to retrieve users, or if you don't want to use Opal's Okta integration as an IDP nor for entitlements or group management.

This guide provides the steps required to configure User Provisioning from Okta to Opal.

The following provisioning features are supported:

Push new users. New users created through Okta will also be created in Opal.
Push profile updates. Updates made to the user's profile through Okta will be pushed to Opal.
Push user deactivation. Deactivating the user or disabling the user's access to the application through Okta deactivates the user in Opal. Note: For this app, deactivating a user means removing all of that user's data and removing the user's account.

Configuration steps in Opal

To configure Opal to interact with Okta, you need to generate an Opal API token with admin level privileges.

As an admin, go to Configuration > Settings > API Access Tokens. Select the +API Access Tokens button. Generate a token with the Full-access role:

Save the generated token.

Configuration steps in Okta

In Okta, go to Applications and select the Opal application. Under General, ensure Enable SCIM provisioning is selected.

Go to the Provisioning tab, then Integration on the left sidebar.
In the SCIM connector base URL field, enter the base URL of your Opal instance. For example, the Base URL field for the https://app.opal.dev Opal instance is https://app.opal.dev/scim/v2. Be sure to append /scim/v2 to the base domain name.
Under Supported provisioning actions, enable your preferred features.
Choose HTTP Header in the Authentication Mode section. In the Token field, enter the API token generated from Opal from the previous step.
Click Save.

Troubleshooting

We do not support propagation of updates of the username/email of an Okta user to Opal.