Okta SCIM: Provision Opal Users

📘

For most use cases, you probably don't need to use Okta SCIM provisioning.

Okta SCIM provisioning is useful if you cannot wait for the hourly or a manual sync to retrieve users.

This guide provides the steps required to configure User Provisioning from Okta to Opal.

The following provisioning features are supported:

• Push new users. New users created through Okta will also be created in Opal.
• Push profile updates. Updates made to the user's profile through Okta will be pushed to Opal.
• Push user deactivation. Deactivating the user or disabling the user's access to the application through Okta deactivates the user in Opal. Note: For this app, deactivating a user means removing all of that user's data and removing the user's account.

Configuration steps in Opal

You must first connect Okta as an IDP to use Okta SCIM provisioning.

Next, generate an Opal API token with admin level privileges.

As an admin, go to Configuration > Settings > API Access Tokens. Select the +API Access Tokens button. Generate a token with the Full-access role:

Save the generated token.

Configuration steps in Okta

1. In Okta, go to Applications and select the Opal application. Under General, ensure Enable SCIM provisioning is selected.

1. Go to the Provisioning tab, then Integration on the left sidebar.

2. In the SCIM connector base URL field, enter the base URL of your Opal instance. For example, the Base URL field for the Opal Cloud instance is https://app.opal.dev/scim/v2. Be sure to append /scim/v2 to the base domain name.

3. Enter a unique identifier field for users, e.g., userName.

4. Under Supported provisioning actions, enable your preferred features.

5. Choose HTTP Header in the Authentication Mode section. In the Token field, enter the API token generated from Opal from the previous step.

6. Click Save.

Troubleshooting

We do not support propagation of updates of the username/email of an Okta user to Opal.