Okta users and groups provisioning integration with SCIM
If your organization uses Okta SCIM to manage your employees’ access to apps, tools and services, you can take advantage of Okta’s “Provisioning” feature to automatically sync users and groups to Apono, allowing you to create just-in-time group membership based on Access Flows and user requests.
The integration between Okta and Apono that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Okta works with SCIM, please see this article.
The remainder of this guide is focused on enabling you to configure both Apono and Okta to get provisioning up and running for your organization.
The following provisioning features are supported by Apono:
Push Users. Users in Okta that are assigned to the Apono SCIM application in Okta are automatically added as members to your Apono's integrated account.
Push User Attributes. User profile information in Okta synchronization between Okta and Apono's integrated account identities.
Push Deactivate User. Deactivating or removing user in Okta terminates the user in Apono.
Push Groups. Groups and their members in Okta can be pushed to Apono.
Okta organization with admin access (see Okta Organization Administrators ).
Go to Integrations, under Environment from the left navigator.
Under Integrations, click the Catalog tab and select Okta Directory (SCIM) under IdP category.
In Okta Directory (SCIM) integration page enter the following:
Integration Name. Unique, alphanumeric, user-friendly name.
Domain. Your OKTA organization domain name. Can be found in Okta admin portal, below your username in the upper right corner, as follow:
Groups to Sync (optional). List of group names to sync in the following structure: group1,group2.group3
.
Click Connect to initiate the integration.
The connector is initializing, and it will still that way until the intergration is complete and the two applications talk with each other.
In the meantime, click the vertical three dots to the right and click Edit.
Copy the browser's URL. It looks like this:
https://app.apono.io/catalog/edit-integration/XXXXX-XXXXX-XXXXX-XXXXX
The URL suffix is the Integration ID. Save this for Okta provisioning described below.
Log in to your Okta admin portal and complete the following steps:
Under the Applications tab, select Browse App Catalog and search and add Apono SCIM app.
Under the Applications tab, navigate to the Apono application.
Click on the “Provisioning” tab in the application. Under the “Integration” panel, click the "Configure API Integration".
Check the "Enable API integration" checkbox.
For the Connection ID, enter the Integration ID part of the URL saved from the Apono integration above.
Click on "Authenticate with Apono" and Save.
Go to “To App” panel. click on edit "Provisioning to App" and check the "Enable" checkbox next to:
Create Users
Update User Attributes
Deactivate Users
Click Save.
Okta integration is only possible with an organization account, not a personal Gmail account.