Okta SCIM
Last updated
Last updated
In this guide, we'll look at how to configure Okta SCIM in Cortex through .
When Okta SCIM is configured, you can create, import, edit, and deactivate users.
Note the following limitations when using Okta SCIM:
A user's email cannot be changed.
Only given and family names can be updated.
Users can only be reactivated via a PUT operation.
If you're looking to configure Okta SSO, see the .
Before getting started:
Generate an .
The API key should have the Admin role, or a custom role that contains the Configure Open ID Connector & SCIMpermission.
In Okta, navigate to Applications > Sign on > Credential details and set the "Application username format" to Email. SCIM requires this format.
If your organization requires you to allowlist domains, follow these steps before getting started:
Ensure that can access your Cortex instance:
In your Cortex instance, click your user avatar in the lower left corner, then click Settings.
On the left side, under Authentication and Access, click IP allowlist.
If you do not have any IP addresses listed here, then access is allowed from any IP address.
Click Add IP addresses in the upper right.
In the modal that appears, enter an individual IP address or an IP range in CIDR notation, then click Save.
Click the toggles to enable the following settings:
Enable automatic deprovisioning of users: Cortex will automatically deprovision any user it detects has been removed from your Okta instance.
Enable automatic provisioning of users: Cortex will automatically provision any user it detects has been added to your Okta instance.
You can track which users are provisioned or deprovisioned in the Audit logs.
Enabling automatic provisioning of users may impact seat counts.
In your Okta admin dashboard, navigate to Applications then click the Cortex app.
Click the Provisioning tab.
Under the Settings panel, click Integration. Configure the settings:
Enable API integration: Check the box.
Click Test API Credentials to verify that your configuration works.
Click Save.
Once the integration is configured, Okta will give you the option to enable provisioning settings.
Enable the following settings in Okta:
Create users: This creates a user in Cortex when the app is assigned to a user in Okta.
The default username used to create accounts is set to the Okta username.
Update user attributes: This setting allows Okta to update a user's attributes in Cortex when the app is assigned.
Cortex only supports updating the user's name (i.e. birth and family names).
Deactivate users: This deactivates or deletes a user's Cortex account when the app is unassigned to that user or when their Okta account is deactivated.
Accounts can be reactivated if the app is reassigned to the user in Okta.
Click Save.
To force a data sync between Okta and Cortex:
In your Okta admin dashboard, open the Cortex app then click the Provisioning tab.
Under the Settings panel, click To App.
Under Cortex Attribute Mappings, click Force sync.
Why might I see a "Forbidden from remote server" error in Okta when testing authentication?
Add Cortex's OIN app for Okta from . This is also available in your Okta instance under Applications > App integration catalog.
Navigate to the .
API token: Enter your generated .
This can happen if you did not configure user provisioning in your SCIM settings in Cortex before testing the integration in Okta. Follow the , then try again.
