LogoLogo
Login to CortexBook a DemoCortex Academycortex.io
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
  • Cortex Query Language (CQL)
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • Limitations
  • Configuring Okta SCIM with the Cortex OIN app
  • Prerequisites
  • Step 1: Add the Cortex OIN app
  • Step 2: Configure user provisioning in Cortex
  • Step 3: Configure the API integration
  • Step 4: Set provisioning in Okta
  • Synchronizing user data between Okta and Cortex
  • Troubleshooting and FAQ

Was this helpful?

Export as PDF
  1. Workspace Settings
  2. Managing users
  3. Configuring SSO
  4. Okta

Okta SCIM

Last updated 1 month ago

Was this helpful?

In this guide, we'll look at how to configure Okta SCIM in Cortex through .

When Okta SCIM is configured, you can create, import, edit, and deactivate users.

Limitations

Note the following limitations when using Okta SCIM:

  • A user's email cannot be changed.

  • Only given and family names can be updated.

  • Users can only be reactivated via a PUT operation.

If you're looking to configure Okta SSO, see the .

Configuring Okta SCIM with the Cortex OIN app

Prerequisites

Before getting started:

  • Generate an .

    • The API key should have the Admin role, or a custom role that contains the Configure Open ID Connector & SCIMpermission.

  • In Okta, navigate to Applications > Sign on > Credential details and set the "Application username format" to Email. SCIM requires this format.

  • If your organization requires you to allowlist domains, follow these steps before getting started:

    • Ensure that can access your Cortex instance:

      1. In your Cortex instance, click your user avatar in the lower left corner, then click Settings.

      2. On the left side, under Authentication and Access, click IP allowlist.

        • If you do not have any IP addresses listed here, then access is allowed from any IP address.

      3. Click Add IP addresses in the upper right.

      4. In the modal that appears, enter an individual IP address or an IP range in CIDR notation, then click Save.

Step 1: Add the Cortex OIN app

Step 2: Configure user provisioning in Cortex

  1. Click the toggles to enable the following settings:

    • Enable automatic deprovisioning of users: Cortex will automatically deprovision any user it detects has been removed from your Okta instance.

    • Enable automatic provisioning of users: Cortex will automatically provision any user it detects has been added to your Okta instance.

You can track which users are provisioned or deprovisioned in the Audit logs.

Enabling automatic provisioning of users may impact seat counts.

Step 3: Configure the API integration

  1. In your Okta admin dashboard, navigate to Applications then click the Cortex app.

  2. Click the Provisioning tab.

  3. Under the Settings panel, click Integration. Configure the settings:

    • Enable API integration: Check the box.

  4. Click Test API Credentials to verify that your configuration works.

  5. Click Save.

Step 4: Set provisioning in Okta

Once the integration is configured, Okta will give you the option to enable provisioning settings.

  1. Enable the following settings in Okta:

    • Create users: This creates a user in Cortex when the app is assigned to a user in Okta.

      • The default username used to create accounts is set to the Okta username.

    • Update user attributes: This setting allows Okta to update a user's attributes in Cortex when the app is assigned.

      • Cortex only supports updating the user's name (i.e. birth and family names).

    • Deactivate users: This deactivates or deletes a user's Cortex account when the app is unassigned to that user or when their Okta account is deactivated.

      • Accounts can be reactivated if the app is reassigned to the user in Okta.

  2. Click Save.

Synchronizing user data between Okta and Cortex

To force a data sync between Okta and Cortex:

  1. In your Okta admin dashboard, open the Cortex app then click the Provisioning tab.

  2. Under the Settings panel, click To App.

  3. Under Cortex Attribute Mappings, click Force sync.

Troubleshooting and FAQ

Why might I see a "Forbidden from remote server" error in Okta when testing authentication?

Add Cortex's OIN app for Okta from . This is also available in your Okta instance under Applications > App integration catalog.

Navigate to the .

API token: Enter your generated .

This can happen if you did not configure user provisioning in your SCIM settings in Cortex before testing the integration in Okta. Follow the , then try again.

Okta's Cortex integration docs
SCIM settings in Cortex
steps to configure user provisioning
Cortex's app in the Okta Integration Network
Okta SSO documentation
API key in Cortex
Okta's IP addresses
Cortex API key