This guide provides the steps required to configure User Provisioning from Okta to Opal.

Features

The following provisioning features are supported:

Push New Users

New users created through Okta will also be created in Opal.

Push Profile Updates

Updates made to the user's profile through Okta will be pushed to Opal.

Push User Deactivation

Deactivating the user or disabling the user's access to the application through Okta will deactivate the user in Opal. Note: For this application, deactivating a user means removing all of that user's data and removing the user's account.

Opal Configuration Steps

On Opal’s side, in order to configure Opal to interact with Okta, you will need to generate an Opal API token with admin level privileges.

With the admin privilege, navigate to the Settings panel in Opal by clicking on Configuration heading in the left sidebar. Then scroll find the API Access Tokens section and click the pencil to the right of the Edit button, clicking Create. Generate a Full-access token, which looks like the following:

Record the generated token.

Okta Configuration Steps

In Opal's Okta application, navigate to the Provisioning tab and then to Integration on the left sidebar. Click Enable API integration.
In the API Token field in the Okta application, as shown above, input the token generated from Opal from the previous step.
In the Base URL field of the Okta application, as shown above, add the Base URL of your Opal instance . For example, the Base URL field for the https://app.opal.dev Opal instance is https://app.opal.dev/scim/v2. Note that /scim/v2 is appended to the end of the base domain name.
Click Save.
After the integration is successfully enabled, navigate to To App on the left sidebar. Enable the features you want, as below:

Troubleshooting

We do not support propagation of updates of the username/email of an Okta user to Opal.