How do I configure SCIM with OKTA?

Okta user provisioning integration with SCIM

If your organization uses Okta to manage your employees’ access to tools and services, you can take advantage of Okta’s “Provisioning” feature to automatically grant access to Reftab to your users, and even optionally synchronize membership in select Okta Groups with Reftab Access Roles.

The integration between Okta and Reftab that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Okta works with SCIM, please see this article.

The remainder of this guide is focused on enabling you to configure both Reftab and Okta to get provisioning up and running for your organization.

Disclaimer: This integration with Okta is currently under development and is not available to customers yet. Contact info@reftab.com to learn more.

Features

The following provisioning features are supported by Reftab at present:

  • Push Users: Users in Okta that are assigned to the Reftab application within Okta are automatically added as users in Reftab
  • Update User Attributes: When user attributes are updated in Okta, they will be updated in Reftab.
  • Deactivate Users: When users are deactivated in Okta, they will be set to ‘disabled’ within Reftab  – which prevents the user from logging into Reftab. 
  • Push Groups: Groups and their users in Okta can be pushed to Reftab. (Group information from Okta can be used to map users to Reftab access roles.)

Requirements

SCIM-based user provisioning is available to Reftab’s Business and Enterprise customers only. Reach out to info@reftab.com if you would like to upgrade your Reftab account.

Step-by-step configuration instructions

1) Click “Applications” > “Applications” > “Browse App Catalog

(If you already have Reftab as an application, click on it).

Okta-browse-app-catalog

Search for “Reftab”.

okta-search-reftab

Click “Add

Okta-Add-Reftab

Click “Done“.

Okta-Add-Reftab-General-Settings

2) Click the “Provisioning” tab and click “Configure API Integration

Okta-Provisioning-API-Integration

3) Next, click the checkbox “Enable API Integration“.

okta-check-box-api-integration

4) Next, log into Reftab as an administrator and click “Settings” > “SAML Settings” > “Configure SCIM

okta scim - reftab scim settings.png

5) Copy the Endpoint and the Token

okta scim - token and url.png

6) Next, back in Okta under the “Provisioning” tab, paste the Base URL endpoint and API token:

okta-base-url-api-token

Click “Save

7) Next, on the “Provisioning” tab click “To App” and click “Edit

Okta-Edit-To-App-Provisioning

8) Check each box for Reftab’s supported provisioning actions: 

  • Create Users
  • Update User Attributes
  • Deactivate Users

Click “Save

Okta-to-app-provisioning-options

9) Next, click the tab for “Sign On” and click “Edit

10) Select Email for the Application username format and click “save”

okta-sign-on-save-email-format.png

11) Next, click “Assignments” > “Assign” > “Assign to Groups” (You can optionaly select Assign to People)

okta-assignments-groups

Click “Assign” next to any group(s) and then click “Done” 

Okta-Assign-Reftab-Groups

12)Next, scroll to the top and click the tab for “Push Groups” > “Push Groups” > “Find Groups by name

okta-to-app-push-groups-to-reftab

13) Start typing for a group and when found, click Save

okta-search-groups

The groups that you push will be accessible by Reftab and can be used for mapping a user’s group in Okta to a Reftab access role.

For example, by pushing the group in the screenshot above “Elephants”, within Reftab,  users from within that group are saved into a Reftab access role:

14) Log into Reftab as an administrator and click “Settings” > “SAML Settings” > “Configure SCIM” scroll down to “Group Mappings” and you should see your pushed  groups.

Map each group to a Reftab access role of your choice.

okta enable scim provisioning 5

This is useful because you don’t have to manage each individual persons access in Reftab, you can manage group mappings to automatically assign users to access roles based upon their group.

Next, you can log into Reftab and you should see user accounts appear.  To see users in Reftab, click “Settings” > “Sub Accounts” and the users should appear.

We suggest setting up Single Sign-On so that your users can automatically log into Reftab without the need to create their own Reftab password.

Troubleshooting and Tips

For questions email “info@reftab.com” and we will be happy to help.