Instructions for setting up Okta SCIM can be found here. Note: you CAN set up both Okta SCIM and Okta Users API in order to get the dual benefits of each approach.
Configuration Steps
1. Navigate to your Okta Admin console and open the ‘Applications’ section from the left hand menu and click ‘Applications’
2. Click the ‘Create App Integration’ button
3. Select API Services as it’ll be our service interacting directly with Okta and not a specific user.
4. Name the Integration anything
5. Click the ‘Edit’ option in the Client Credentials section and set the Client authentication method to Public key / Private key
6. Navigate to the Employees page in your Adaptive admin site and select 'Sources'.
7a. If you want to use Okta API as you user provisioning source of truth (i.e. make it responsible for onboarding and off boarding employees in Adaptive) -- you click the 'Set Up' button and select Okta API from the dropdown. If you are using Okta SCIM or another source for provisioning / deprovisioning, go to step 7b.
7b. If you want to use Okta API simply to enrich your employee records with data from Okta, click 'Set Up' from the 'Enrichment Data Sources' section
8. Click 'Connect'
Okta Key Generation
1. Back in Okta, click the Add key button that shows in the PUBLIC KEYS section
2. Select Generate new key to have Okta handle the generation
3. Select PEM to put the key in the right format. PLEASE COPY THE FOLLOWING INFORMATION BEFORE DOING STEP 10
The
kid, the unique identifier for the key, will be copy and pasted into the Adaptive ‘Key ID’ fieldExcluding the
"at the beginning and the"at the end of thekid
Select PEM from the Private Key section
The
Private Keyitself will be copy and pasted into the Adaptive ‘Key’ fieldInclude the
-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----portions
4. Click Done to save and activate the key
5. Under General Settings, uncheck the Require Demonstrating Proof of Possession (DPoP) header in token requests box and press save.
Okta Scopes
1. Click on the Okta API Scopes tab to grant the needed scopes to our app.
2. Select ‘Grant’ next to the following scops: okta.users.read, okta.groups.read , okta.apps.read
3. Click Grant and Grant Access in the modal that pops up
4. Click on the Admin roles tab to grant administrator access to our requests by clicking on the ‘Edit Assignments’ button
4. Set the role to Read-only Administrator that only has permissions to read user/group data and other config.
5. Press the ‘Save Changes’ button in the top right hand corner of the screen.
Finish setup in Adaptive
1. In the Adaptive Admin UI, finish copying + pasting the information into the “Set up” modal for on the Okta Directory integration that you accessed from the Employee > Sources section.
Reminder: You should select Okta API from the appropriate section on the employee sources page -- either Primary Identity Source or Enrichment Source
2. Input the key and integration information saved from earlier:
Okta Domain - Found in the top-right profile dropdown. Add
https://in front of the domain before pasting in adaptive
Client Id - Found under Client Credentials in the Application settings
Key Id - The kid value of the private key configured in the Application settings
Key - The private key configured in the Application settings (copied from Okta Key Generation section above)
3. Click save and sync should begin with your employee data from Okta!
FAQ
Q: Why would you use Okta API in addition to / in place of Okta SCIM?
A: The SCIM protocol has a more limited dataset that what we can access from the Okta APIs. Using the Okta API integration will give you access to data not available via the SCIM route (such as which applications an employee has been assigned in Okta). Additionally, it's possible to use both Okta SCIM as your Primary Identity Source and Okta API as an enrichment data source