# Okta SCIM Integration SCIM (System for Cross-domain Identity Management) is an open standard for automating the management of user and group membership. This document walks you through setting up SCIM-based users and groups with Okta. Find Okta's documentation for these steps at ## DeltaStream and Okta SCIM Concepts DeltaStream's SCIM integration automates adding/removing [users](https://docs.deltastream.io/overview/core-concepts/access-control#_user) from your [organization](https://docs.deltastream.io/overview/core-concepts/access-control#_organiation) and leveraging Okta groups to grant access to DeltaStream [roles](https://docs.deltastream.io/overview/core-concepts/access-control#_role). There are two types of groups within Okta: 1. **Assignment groups** manage [access to Okta App Integrations](https://help.okta.com/en-us/content/topics/apps/apps-assign-applications.htm). Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles. 2. **Push Groups** enable Okta to [push existing Okta group memberships](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-about-group-push.htm) to DeltaStream. These groups are mapped to [custom roles](https://docs.deltastream.io/overview/core-concepts/access-control#custom-roles) within DeltaStream. You cannot use Push groups to control access to built-in roles. Instead, use a custom user attribute and a dedicated Assignment group to achieve `orgadmin` role membership. Custom roles created using Push groups are not automatically granted any privileges. You must grant privileges to the roles with `MANAGE_GRANTS` privilege (by default, `orgadmin` or `securityadmin`). {% hint style="info" %} **Note** You must add a user to an Assignment group before adding them to a Push group. {% endhint %} ## SCIM Setup ### Prerequisites * Set up Okta [SAML app integration](https://docs.deltastream.io/enterprise-security-integrations/okta-saml-integration). ### Enable SCIM Provisioning This section describes how to enable SCIM provisioning on an app integration. Additional configuration is added in subsequent sections. 1. Click to activate the **General** tab, and in the **App Settings** box click **Edit**.

2. Check **Enable SCIM provisioning** and then click **Save**.

### Set up the DeltaStream OrgAdmin Attribute This section describes how to create a new custom attribute you use to specify who should have access to the OrgAdmin built-in role. 1. In the lefthand navigation, go to **Directory** > **Profile Editor**. 2. Click **DeltaStream Users**.

3. Click **Add Attribute**.

4. Create a new boolean attribute with the following values:

Key	Value
Data type	`boolean`
Display name	`DeltaStream OrgAdmin`
Variable name	`deltastreamOrgadmin`
External name	`deltastreamOrgadmin`
External namespace	`urn:ietf:params:scim:schemas:core:2.0:User`

Verify that the **Attribute Type** is set to **Group**.

### Set up the DeltaStream OrgAdmin User Assignment Group This section describes how to create a new assignment group for OrgAdmins. Any users assigned to this group are granted the OrgAdmin role in DeltaStream. 1. In the lefthand navigation go to **Directory** -> **Groups** and then click **Add group**.

2. Name the group **DeltaStream OrgAdmins** and then click **Save**.

3. Click the newly-created group to configure it. 4. Click the **Applications** tab to activate it and then click **Assign applications**.

4. Assign the DeltaStream application.

5. Verify the **DeltaStream OrgAdmin** attribute is set to **true**. Then click **Save and Go Back**.

### Set up the DeltaStream User Assignment Group This section describes how to create a new assignment group for non-privileged users. 1. In the lefthand navigation, go to **Directory** > **Groups** and then click **Add group**.

2. Name the group **DeltaStream Users** and click **Save**.

3. Click the newly-created group to configure it. 4. Click the **Applications** tab to activate it, and then click **Assign applications**.

4. Assign the DeltaStream application and then click **Save**. ## SCIM user provisioning ### Assign someone to the OrgAdmin assignment group 1. In the lefthand navigation, go to **Application** > **Applications** > **Deltastream**. 1. Click to activate the **Assignments** tab. 2. Filter by **Groups.** 3. Click the **DeltaStream OrgAdmins** group.

2. Click **Assign people** and then select the individuals you wish to assign as OrgAdmins. {% hint style="info" %} **Note** Ensure the person provided as the OrgAdmin for SAML application setup is also added to this group. {% endhint %}

### Assign a user to the Users assignment group 1. From the lefthand navigation to **Application** > **Applications** > **Deltastream**. 1. Click to activate the **Assignments** tab. 2. Filter by **Groups**. 3. Click the **DeltaStream Users** group.

2. Click **Assign people** and select the individuals you wish to have access to DeltaStream. {% hint style="info" %} **Note** Assigning users does not grant them any additional roles. Configure a Push group to assign roles. {% endhint %}

## Configure security integration This section describes how to configure the SCIM integration URI and token so that Okta can push information to DeltaStream. 1. In the top toolbar, change the role to orgadmin. 2. In the lefthand navigation click Integration ( ![](https://1288764042-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fdbd9e6ZJodkgF1H6AVay%2Fuploads%2FPPFsFUyg2Es3Fz7yXnVO%2FIntegrationIcon.png?alt=media\&token=1ebcc500-e279-49a9-9b3b-7c24fd7df1e4) ). Then click **Security Integration**.

2. Save the URI and token for later use. This security integration expires after 1 year. 3. In your Okta dashboard, in the lefthand navigation click **Applications** and then click the **DeltaStream** application:

4. Click the **Provisioning** tab to activate it, then click **edit**:

4. Copy the URI from the security integration setup in step 1 to the SCIM connector base URL. 5. Enter `email` for unique identifier field for users. 6. Check the following: 1. **Import New Users and Profile Updates** 2. **Push New Users** 3. **Push Profile Updates** 4. **Push Groups**
7. For **Authentication Mode**, click **HTTP Header**. Then copy the token from the security integration setup in step (1) and paste it into the **Authorization Bearer** box. Then click **Save**.

8. Click the **Provisioning** tab to activate it, and in the **Provisioning to App** settings, click **Edit**.

9. Check the following: 1. **Create Users** 2. **Update User Attributes** 3. **Deactivate Users** 10. Click **Save**.

## Configure Push groups Before you begin, ensure that everyone who needs access to DeltaStream has been added either to the **DeltaStream Users** or the **DeltaStream OrgAdmins** assignment groups. 1. From the lefthand navigation, go to **Application** > **Applications** > **Deltastream**. 2. Click the **Push Groups** tab to activate it. 3. Click **+ Push Groups** to search for and select a group to push.

2\. Click **Find groups by name**.

3. Enter the name of the group you wish to push -- for example, **development.** 4. Click **Push group memberships immediately**. 5. Click **Save**.

This creates a role with the same name as the group in DeltaStream. Anyone who is part of the group is also assigned this role. ## References * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.deltastream.io/enterprise-security-integrations/okta-scim-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.