SCIM provisioning is an additional step on top of SSO authentication. It is optional but recommended to keep users and groups continuously synchronized. This integration requires two applications registered in Okta: the existing OIDC integration and a new SCIM integration. The same users and groups must be assigned to both. Chamelio will provide you with a SCIM Endpoint URL and a Bearer Token.
Prerequisites
Before setting up SCIM, confirm the following:- Confirm that a Chamelio application for user authentication has already been created in your Okta tenant.
- Your Chamelio OIDC application has Federation Broker Mode disabled.
Create a Provisioning Application
In the Okta Admin Console, navigate to Applications > Applications, then select Create App Integration.
- Select SWA – Secure Web Authentication, then choose Next.
- On the General App Settings page:
- Set the App name to
Chamelio SCIM - Set the App’s login page URL to
https://chamelio.ai/(this URL is not used by the SCIM integration) - Select Do not display application icon to users
- Set the App name to
- Select Finish.
- Navigate to the General tab and under App Settings, choose Edit.
- In the Provisioning section, select SCIM.
- Choose Save.
Configure SCIM Connection
Navigate to the Provisioning tab, then the Integration sub-tab, and select Edit.Fill in the following:
- SCIM connector base URL — enter the SCIM Endpoint URL Chamelio provided
- Unique identifier field for users — enter
userName - Supported provisioning actions — select Push New Users, Push Profile Updates and Push Groups
- Authentication Mode — select HTTP Header
- Authorization — paste the Bearer Token Chamelio provided
Configure Provisioning to App
Navigate to Provisioning > Settings > To App and choose Edit.Enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
- Primary email type (
emailType) - Primary phone type (
primaryPhoneType) - Address type (
addressType)