Comment on page
Okta SCIM Integration
SCIM stands for System for Cross-domain Identity Management. It is an open standard for automating the management of user and group membership.
This document will walk through setting up SCIM based user and group setup with Okta.
Okta's documentation for these steps is available at https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm
DeltaStream's SCIM integration automates adding/removing Users from your Organization and granting access to DeltaStream Roles by leveraging Okta groups. There are two types of groups within Okta:
Assignment groups manage access to Okta App Integrations. Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles.
Push Groups enables Okta to push existing Okta group memberships to DeltaStream. These groups are mapped to Custom Roles within DeltaStream.
Push groups cannot be used to control access to built-in roles. OrgAdmin role membership is achieved by using a custom user attribute and a dedicated Assignment group.
Custom roles created using Push groups are not automatically granted any privileges. Privileges must be granted to the Roles with MANAGE_GRANTS privilege (OrgAdmin or SecurityAdmin by default).
Note that a user must be added to an assignment group before adding them to a push group.
- 1.
This section enables SCIM provisioning on an App Integration. Additional configuration will be added in subsequent sections.
- 1.Select the "General" tab, click the "Edit" button for the "App Settings".
- 4.Select the checkbox for "Enable SCIM provisioning" and click "Save"
This section creates a new custom attribute which will be used to indicate users who should have access to the OrgAdmin built-in role.
- 1.Navigate to "Directory" -> "Profile Editor" on the menu on the left.
- 2.Click on "DeltaStream Users".
- 3.Click the "Add Attribute button"
- 3.Create a new boolean attribute with following values:
Key | Value |
|---|---|
Data type | boolean |
Display name | DeltaStream OrgAdmin |
Variable name | deltastreamOrgadmin |
External name | deltastreamOrgadmin |
External namespace | urn:ietf:params:scim:schemas:core:2.0:User |
This section creates a new assignment group for OrgAdmins. Any users assigned to this group will be granted OrgAdmin role on DeltaStream.
- 1.Navigate to "Directory" -> "Groups". Click the "Add group" button.
- 2.Name the group "DeltaStream OrgAdmins" and click the "Save" button.
- 3.Click on the newly created group to configure it. Navigate to the "Applications" tab, click the "Assign applications" button.
- 4.Assign the "DeltaStream" application.
- 5.Ensure that "DeltaStream OrgAdmin" attribute is set to "true" and Save the group.
This section creates a new assignment group for non-privileged users.
- 1.Navigate to "Directory" -> "Groups". Click the "Add group" button.
- 2.Name the group "DeltaStream Users" and click the "Save" button.
- 3.Click on the newly created group to configure it. Navigate to the "Applications" tab, click the "Assign applications" button.
- 4.Assign the "DeltaStream" application and Save the group.
- 1.Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Assignments" tab. Filter by "Groups" Click on the "DeltaStream OrgAdmins" group.
- 2.Click "Assign people", and select the users you would like to assign as OrgAdmins. NOTE: Ensure that the User provided as the Org admin for SAML application setup is also added to this group:
- 1.Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Assignments" tab. Filter by "Groups" Click on the "DeltaStream Users" group.
- 2.Click "Assign people", and select the users you would like to have access to DeltaStream. Assigning users does not grant them any additional roles. Configure a push group to assign roles.
This Section configures the SCIM integration URI and Token so that Okta can push information to DeltaStream.
- 1.
USE ROLE securityadmin;
CREATE SECURITY INTEGRATION "okta" WITH ( 'type' = SCIM, 'scim.client' = OKTA );
URI: https://api.deltastream.io/scim/v2
Token: eyJh...
- 2.Navigate to the applications menu and click the "DeltaStream" application.
- 3.On the "Provisioning" tab, Click the "edit" button.
- 4.Copy the URI from the security integration setup in step (1) to the SCIM connector base URL. Enter
emailfor Unique identifier field for users. Check the boxes for "Import New Users and Profile Updates", "Push New Users", "Push Profile Updates", and "Push Groups". Select the "HTTP Header" Authentication Mode and copy the token from the security integration setup in step (1) into the Authorization Bearer field. Click the "Save" button the complete the initial setup.
- 5.On the "Provisioning" tab, under the "Provisioning to App" settings, click the "edit" button.
- 6.Enable "Create Users", "Update User Attributes", and "Deactivate Users" and click "Save".
Before beginning, ensure that all users that need access to DeltaStream have been added to either the "DeltaStream Users" or "DeltaStream OrgAdmins" assignment groups.
- 1.Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Push Groups" tab. Click on the "+ Push Groups" button to search for and select a group to push.
2. Select "Find groups by name"
- 3.Type in the name of the group (e.g. development) to push. Select "Push group memberships immediately". Click the "Save" button.
This will create a Role with the same name as the group in DeltaStream. Any users that are part of the group will also be assign the Role.
Last modified 1mo ago