Skip to main content

Okta SCIM

In this guide, we'll look at how to configure Okta SCIM in Cortex through Cortex's app in the Okta Integration Network.

When Okta SCIM is configured, you can create, import, edit, and deactivate users.

warning

There are a few limitations when using Okta SCIM:

  • A user's email cannot be changed.
  • Only given and family names can be updated.
  • Users can only be reactivated via a PUT operation.

If you're looking to configure Okta SSO, see the Okta SSO documentation.

Configuring Okta SCIM with the Cortex OIN app

Prerequisites

Before getting started:

  • Generate an API key in Cortex.
  • In Okta, navigate to Applications > Sign on > Credential details and set the "Application username format" to Email. SCIM requires this format.
  • If your organization requires you to allowlist domains, follow these steps before getting started:
    • Ensure that Okta's IP addresses can access your Cortex instance:
      1. In your Cortex instance, click your user avatar in the lower left corner, then click Settings.
      2. On the left side, under Authentication and Access, click IP allowlist.
        IP Allowlist is in the left menu. Add IP Address is in the upper right
        • If you do not have any IP addresses listed here, then access is allowed from any IP address.
      3. Click Add IP addresses in the upper right.
      4. In the modal that appears, enter an individual IP address or an IP range in CIDR notation, then click Save. Modal for adding IP addresses

Step 1: Add the Cortex OIN app

  • Add Cortex's OIN app for Okta from Okta's Cortex integration docs. This is also available in your Okta instance under Applications > App integration catalog.

2. Configure the API integration

  1. In your Okta admin dashboard, navigate to Applications then click the Cortex app.
  2. Click the Provisioning tab.
  3. Under the Settings panel, click Integration. Configure the settings:
    • Enable API integration: Check the box.
    • API token: Enter your generated Cortex API key.
      Okta OIDC app
  4. Click Test API Credentials to verify that your configuration works.
  5. Click Save.

3. Set provisioning in Okta

Once the integration is configured, Okta will give you the option to enable provisioning settings.

  1. Enable the following settings in Okta:
    • Create users: This creates a user in Cortex when the app is assigned to a user in Okta.
      • The default username used to create accounts is set to the Okta username.
    • Update user attributes: This setting allows Okta to update a user's attributes in Cortex when the app is assigned.
      • Cortex only supports updating the user's name (i.e. birth and family names).
    • Deactivate users: This deactivates or deletes a user's Cortex account when the app is unassigned to that user or when their Okta account is deactivated.
      • Accounts can be reactivated if the app is reassigned to the user in Okta.
  2. Click Save.

4. Configure user provisioning in Cortex

  1. Navigate to the SCIM settings in Cortex.
  2. Click the toggles to enable the following settings:
    • Enable automatic deprovisioning of users: Cortex will automatically deprovision any user it detects has been removed from your Okta instance.
    • Enable automatic provisioning of users: Cortex will automatically provision any user it detects has been added to your Okta instance.

You can track which users are provisioned or deprovisioned in the Audit logs.

caution

Enabling automatic provisioning of users may impact seat counts.

Synchronizing user data between Okta and Cortex

To force a data sync between Okta and Cortex:

  1. In your Okta admin dashboard, open the Cortex app then click the Provisioning tab.
  2. Under the Settings panel, click To App.
  3. Under Cortex Attribute Mappings, click Force sync.