Skip to content

Okta

Okta Identity Provider Integration

For Okta SCIM client operations supported by PrivaceraCloud, see Supported Okta SCIM Client Operations.

Prerequisites

  1. Obtain user provisioning functionality for your Okta account. For details, see Okta Lifecycle Management.

  2. Resolve group name conflicts before syncing to your PrivaceraCloud account. Rename groups that have the same name in your identity provider and in your PrivaceraCloud account.

Recommendation: Before integrating your production users and groups, create a test account and group in Okta, such as privacera-test-users, and use those test values to confirm integration. When you are satisfied with the results, repeat the process using live production users and groups.

Integration Steps

Step 1. Enable SCIM API Integration in Okta

  1. Log in to Okta and add the PrivaceraCloud application.

  2. From the application, click the Provisioning tab.

  3. Click Configure API integration.

  4. Select Enable API integration.

  5. Enter the Endpoint URL

    • PrivaceraCloud - URL that was generated for you, and the Username/Password or Bearer Token you provided in your PrivaceraCloud account in Configure SCIM Server in PrivaceraCloud.
    • Self Managed - https://{SCIM_SERVER_HOST}}/api/pus/public/scim/v2/{connectorName} .

  6. Click Test API Credentials. If the test passes, click Save.

  7. Under Settings , click To App.

  8. Click Edit and select Enable for required options.
    Use this step to map user attributes or leave them with default settings.

  9. Click Save to apply the integration settings.

Step 2: Activate application features

  1. From the application, click the Provisioning tab.

  2. Click Edit.

  3. Click the Enable checkbox for Create Users and Update User Attributes.

  4. Click Save

Step 3. Verify Email Addresses

User provisioning in Okta relies on an email address to identify a user in PrivaceraCloud and consequently create or update a Privacera Cloud account. If the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in Okta, the user might end up with duplicate PrivaceraCloud accounts.

To avoid duplicate accounts, verify the email address attribute that maps to a user account is correct and used for both SAML SSO and SCIM user provisioning:

  1. From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email ,.

  2. Click the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an account.
    If Application username format specifies an old value (for example, the old email address is user1OLD@example.com for the specified attribute) but you have another attribute that stores the same user's email address user1NEW@example.com, the user might end up with duplicate accounts. Troubleshoot as follows: - Before you complete this step , ask the user to log in with their PrivaceraCloud account at least once. - If the user still ends up with duplicate accounts, contact PrivaceraCloud support with the user's email addresses.

  3. Make sure the Application username format is set to the same attribute specified as Primary email in the previous step.

  4. Make sure that Update application username is set to Create and update. Click Save to apply your changes.

  5. Click Update Now to push the change faster than the Okta automatic update.

Step 4. Push Groups

Privacera recommends using the group synchronization feature to automatically manage user privileges and licenses from your directory, instead of manually managing these from the organization.

This section describes how to configure group-based management.

Pushing a group to your PrivaceraCloud account pushes only the detail about a group, not details about users who are part of a group.

  1. In Okta, click the Push Groups tab and then By name.
    Select the group name, and click Save.

  2. Review to make sure all required groups have been pushed.

Step 5. Assign Users to the PrivaceraCloud Application in Okta

  1. In Okta, click the Assignments tab of the PrivaceraCloud application.

  2. Click Assign , then Groups. Select the group to assign.

  3. In the displayed dialog, these default values are used only if the user profile does not have them. All fields are optional.
    When you are done with this step, click Save and Go Back.

  4. In PrivaceraCloud, to verify that users and groups are synced, navigate to Access Manager > Users Groups and Roles.

Step 6. Write a Policy for Provisioned Users or Groups

Create a data access policy for the provisioned users or groups through PrivaceraCloud to finalize the integration verification.

  1. From your PrivaceraCloud Account, navigate to Access Management > Resource Policies.

  2. Select an application to write a policy over, such as Privacera Hive.

  3. Click Add Policy and enter the details as shown below.

  4. Verify the policy is in effect in your downstream application.

Supported Okta SCIM Client Operations

User Operations

The Privacera SCIM Server supports the following operations:

Operation Notes
Create new user A data access user is created in PrivaceraCloud Access Management - > Users. This account cannot be edited directly in PrivaceraCloud.
Link an existing user If a user already exists in your PrivaceraCloud Account, it is automatically linked to the user in Okta. This account can no longer be edited directly in PrivaceraCloud.
Update user details In PrivaceraCloud, you can update the display name and email address user attributes from your identity provider. By default, a user's first and last names are combined to create the Display name. If Any display name entered in PrivaceraCloud overwrites the first and last name combination.
Deactivate user Deactivate is also sometimes called "soft delete". Deactivation has the following effects:
  • The user is marked as hidden.
  • The user is removed from all groups.
Important : the Privacera administrator must manually remove the deactivated user from all user-based policies. If your policies are based on groups (not specific users), no changes to policies are needed, because the user has been removed from the groups. You need to manually change a policy only if the user is explicitly named in it.
Delete user Delete the user manually in PrivaceraCloud.

Group Operations

Groups created manually and by default (for example, public) in your PrivaceraCloud account cannot be managed via SCIM.

You can only manage groups synced from Okta via SCIM.

Operation Notes Troubleshooting
Create group The group is created as an read-only external group in PrivaceraCloud.
Update group membership PrivaceraCloud external data access users in your PrivaceraCloud account are modified to support the group membership changes reflected in this SCIM operation. If a synced group is empty, when pushing a group, make sure that the synchronized group does not have the same name as a default or manually created group in PrivaceraCloud.
Push group An error will result if the group name already exists in your PrivaceraCloud account. For example, the group named "public" might conflict. In your identity provider, rename the conflicting group with a name different from the PrivaceraCloud built-in group name and attempt to re-sync.
Delete group Manually delete the user account in PrivaceraCloud. Not implemented via SCIM

Okta SCIM Server - Configure custom user attributes

These steps will configure the Usersync connector to accept additional user attribute(s).

  1. In the PrivaceraCloud portal, navigate to Settings -> Datasources -> Usersync connector.
  2. In the “Custom User Attributes” section, add the custom attribute(s).
  3. Save the configuration

Okta Configuration

In Okta you will need to add application profile attributes and mappings.

  1. Login to Okta. Navigate to Applications.

  2. Select your PrivaceraCloud application.

  3. Then select "Provisioning (To App)".

  4. In the "Local Attribute Mappings" section, click "Go to Profile Editor".

  5. Click Add Attribute.
    Table 71. Attribute examples:

    Data type string
    Display name Title
    Variable name title
    External name title
    External namespace urn:ietf:params:scim:schemas:core:2.0:User
    Description User Title
    Enum
    Attribute length
    Attribute required
    Scope User Personal

  6. Click Mappings.

  7. Select "Okta User to PrivaceraCloud".
    For example:

    user.title title

For additional information, see the Okta documentation.

Comments