Okta SCIM Integration

SCIM (System for Cross-domain Identity Management) is an open standard for automating the management of user and group membership.

This document walks you through setting up SCIM-based user sand groups with Okta.

Find Okta's documentation for these steps at https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm

DeltaStream and Okta SCIM Concepts

DeltaStream's SCIM integration automates adding/removing users from your organization and leveraging Okta groups to grant access to DeltaStream roles.

There are two types of groups within Okta:

1. Assignment groups manage access to Okta App Integrations. Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles.

2. Push Groups enable Okta to push existing Okta group memberships to DeltaStream. These groups are mapped to custom roles within DeltaStream.

You cannot use Push groups to control access to built-in roles. Instead, use a custom user attribute and a dedicated Assignment group to achieve orgadmin role membership.

Custom roles created using Push groups are not automatically granted any privileges. Privileges must be granted to the Roles with MANAGE_GRANTS privilege (orgadmin or securityadmin by default).

SCIM Setup

Prerequisites

1. Set up Okta SAML app integration.

Enable SCIM Provisioning

This section describes how to enable SCIM provisioning on an App Integration. Additional configuration will be added in subsequent sections.

1. Click to activate the General tab, then click Edit for the App Settings.

1. Select Enable SCIM provisioning and then click Save.

Set up the DeltaStream OrgAdmin Attribute

This section describes how to create a new custom attribute you use to specify who should have access to the OrgAdmin built-in role.

1. In the lefthand navigation, go to Directory -> Profile Editor.

2. Click DeltaStream Users.
3. Click Add Attribute.

1. Create a new boolean attribute with the following values:

Set up the DeltaStream OrgAdmin User Assignment Group

This section describes how to create a new assignment group for OrgAdmins. Any users assigned to this group are granted the OrgAdmin role in DeltaStream.

1. In the lefthand navigation go to Directory -> Groups and then click Add group.

1. Name the group "DeltaStream OrgAdmins" and then click Save.

1. Click the newly-created group to configure it. Click to activate the Applications tab and then click Assign applications.

1. Assign the DeltaStream application.

1. Ensure the DeltaStream OrgAdmin attribute is set to true. Then click Save and Go Back.

Set up the DeltaStream User Assignment Group

This section describes how to create a new assignment group for non-privileged users.

1. In the lefthand navigation, go to Directory -> Groups and then click Add group.

1. Name the group DeltaStream Users and click Save.

1. Click the newly-created group to configure it. Click to activate the Applications tab, and then click Assign applications.

1. Assign the DeltaStream application and then click Save.

SCIM user provisioning

Assign a user to the Org admin assignment group

1. In the lefthand navigation, go to Application -> Applications -> Deltastream.

   1. Click to activate the Assignments tab.

   2. Filter by Groups.

   3. Click the DeltaStream OrgAdmins group.

1. Click Assign people and then select the users you wish to assign as OrgAdmins.

Assign a user to the Users assignment group

1. From the lefthand navigation to Application -> Applications -> Deltastream.

   1. Click to activate the Assignments tab.

   2. Filter by Groups.

   3. Click the DeltaStream Users group.

1. Click Assign people and select the users you wish to have access to DeltaStream.

Configure security integration

This section describes how to configure the SCIM integration URI and token so that Okta can push information to DeltaStream.

1. Log into your DeltaStream and create a new SCIM security integration using CREATE SECURITY INTEGRATION command:

USE ROLE securityadmin;
CREATE SECURITY INTEGRATION "okta" WITH ( 'type' = SCIM, 'scim.client' = OKTA );

URI: https://api.deltastream.io/scim/v2
Token: eyJh...

1. From the lefthand navigation to the applications menu and click the DeltaStream application:
2. Click to activate the Provisioning tab, then click edit:

1. Copy the URI from the security integration setup in step 1 to the SCIM connector base URL.

2. Enter email for Unique identifier field for users.

3. Click the following checkboxes:

   1. Import New Users and Profile Updates

   2. Push New Users

   3. Push Profile Updates

   4. Push Groups.

   Finally, for Authentication Mode click HTTP Header and copy the token from the security integration setup in step (1) into the Authorization Bearer box. Click Save to complete the initial setup.

1. Click to activate the Provisioning tab, and in the Provisioning to App settings, click Edit.

1. Click to corresponding checkboxes for Enable Create Users Update User Attributes, and Deactivate Users.

2. Click Save.

Configure push groups

Before you begin, ensure that everyone who needs access to DeltaStream has been added either to the DeltaStream Users or the DeltaStream OrgAdmins assignment groups.

1. From the lefthand navigation, go to Application -> Applications -> Deltastream.

2. Click to activate the Push Groups tab.

3. Click + Push Groups to search for and select a group to push.

2. Click Find groups by name.

1. Enter the name of the group you wish to push -- for example, development

2. Click Push group memberships immediately.

3. Click Save.

This creates a role with the same name as the group in DeltaStream. Anyone who is part of the group is also assigned this role.

References

• https://help.okta.com/en-us/content/topics/provisioning/lcm/con-okta-prov.htm

• https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm

• https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm