Okta SCIM Integration

SCIM (System for Cross-domain Identity Management) is an open standard for automating the management of user and group membership.

This document walks you through setting up SCIM-based users and groups with Okta.

Find Okta's documentation for these steps at https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm

DeltaStream and Okta SCIM Concepts

DeltaStream's SCIM integration automates adding/removing users from your organization and leveraging Okta groups to grant access to DeltaStream roles.

There are two types of groups within Okta:

  1. Assignment groups manage access to Okta App Integrations. Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles.

  2. Push Groups enable Okta to push existing Okta group memberships to DeltaStream. These groups are mapped to custom roles within DeltaStream.

You cannot use Push groups to control access to built-in roles. Instead, use a custom user attribute and a dedicated Assignment group to achieve orgadmin role membership.

Custom roles created using Push groups are not automatically granted any privileges. Privileges must be granted to the roles with MANAGE_GRANTS privilege (by default,,orgadmin or securityadmin).

Note You must add a user to an assignment group before adding them to a Push group.

SCIM Setup

Prerequisites

Enable SCIM Provisioning

This section describes how to enable SCIM provisioning on an app integration. Additional configuration will be added in subsequent sections.

  1. Click to activate the General tab, then click Edit for the App Settings.

  1. Select Enable SCIM provisioning and then click Save.

Set up the DeltaStream OrgAdmin Attribute

This section describes how to create a new custom attribute you use to specify who should have access to the OrgAdmin built-in role.

  1. In the lefthand navigation, go to Directory -> Profile Editor.

  2. Click DeltaStream Users.

  3. Click Add Attribute.

  1. Create a new boolean attribute with the following values:

Key
Value

Data type

boolean

Display name

DeltaStream OrgAdmin

Variable name

deltastreamOrgadmin

External name

deltastreamOrgadmin

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Set up the DeltaStream OrgAdmin User Assignment Group

This section describes how to create a new assignment group for OrgAdmins. Any users assigned to this group are granted the OrgAdmin role in DeltaStream.

  1. In the lefthand navigation go to Directory -> Groups and then click Add group.

  1. Name the group DeltaStream OrgAdmins and then click Save.

  1. Click the newly-created group to configure it.

  2. Click the Applications tab to activate it and then click Assign applications.

  1. Assign the DeltaStream application.

  1. Verify the DeltaStream OrgAdmin attribute is set to true. Then click Save and Go Back.

Set up the DeltaStream User Assignment Group

This section describes how to create a new assignment group for non-privileged users.

  1. In the lefthand navigation, go to Directory -> Groups and then click Add group.

  1. Name the group DeltaStream Users and click Save.

  1. Click the newly-created group to co nfigure it.

  2. Click the Applications tab to activate it, and then click Assign applications.

  1. Assign the DeltaStream application and then click Save.

SCIM user provisioning

Assign a user to the OrgAdmin assignment group

  1. In the lefthand navigation, go to Application -> Applications -> Deltastream.

    1. Click to activate the Assignments tab.

    2. Filter by Groups.

    3. Click the DeltaStream OrgAdmins group.

  1. Click Assign people and then select the individuals you wish to assign as OrgAdmins.

Note Ensure the person provided as the OrgAdmin for SAML application setup is also added to this group.

Assign a user to the Users assignment group

  1. From the lefthand navigation to Application -> Applications -> Deltastream.

    1. Click to activate the Assignments tab.

    2. Filter by Groups.

    3. Click the DeltaStream Users group.

  1. Click Assign people and select the individuals you wish to have access to DeltaStream.

Note Assigning users does not grant them any additional roles. Configure a Push group to assign roles.

Configure security integration

This section describes how to configure the SCIM integration URI and token so that Okta can push information to DeltaStream.

  1. Log into DeltaStream and create a new SCIM security integration using the CREATE SECURITY INTEGRATION command:

USE ROLE securityadmin;
CREATE SECURITY INTEGRATION "okta" WITH ( 'type' = SCIM, 'scim.client' = OKTA );

URI: https://api.deltastream.io/scim/v2
Token: eyJh...
  1. From the lefthand navigation go to the Applications menu and click the DeltaStream application:

  2. Click the Provisioning tab to activate it, then click edit:

  1. Copy the URI from the security integration setup in step 1 to the SCIM connector base URL.

  2. Enter email for Unique identifier field for users.

  3. Check the following checkboxes:

    1. Import New Users and Profile Updates

    2. Push New Users

    3. Push Profile Updates

    4. Push Groups.

    Finally, for Authentication Mode click HTTP Header. Then copy the token from the security integration setup in step (1) into the Authorization Bearer box. Click Save to complete the initial setup.

  1. Click the Provisioning tab to activate it, and in the Provisioning to App settings, click Edit.

  1. Check the corresponding checkboxes for Enable Create Users Update User Attributes and Deactivate Users.

  2. Click Save.

Configure Push groups

Before you begin, ensure that everyone who needs access to DeltaStream has been added either to the DeltaStream Users or the DeltaStream OrgAdmins assignment groups.

  1. From the lefthand navigation, go to Application -> Applications -> Deltastream.

  2. Click the Push Groups tab to activate it.

  3. Click + Push Groups to search for and select a group to push.

2. Click Find groups by name.

  1. Enter the name of the group you wish to push -- for example, development.

  2. Click Push group memberships immediately.

  3. Click Save.

This creates a role with the same name as the group in DeltaStream. Anyone who is part of the group is also assigned this role.

References

Last updated