User Provisioning in Okta with SCIM

Before You Begin

Important: Before you setup SCIM with Okta, you will need to open a support ticket with Infosec to enable the provisioning on your Infosec IQ account. The provisioning settings will not be available by default.

Most of the time you will want to also use Okta for SSO. If that is the case, you should first configure an Okta SSO application by following the instructions in Okta SSO Configuration.

Enable SCIM Provisioning in Okta

You’ll need access to your organization’s Okta admin console and admin access to Infosec IQ in order to complete these steps.

1. Navigate to Infosec application in Okta that you setup previously (see above).

2. On the General tab, select the Edit button for the App Settings section.

3. Check the box next to Provisioning that says Enable SCIM provisioning.
   

   

   image.png1054×611 36.2 KB

4. Open the Infosec Accounts dashboard, by navigating to Infosec IQ, clicking the gear icon in the top right corner, and selecting Learner Authentication (SSO)

5. Select the Provisioning tab.

6. To proceed in Okta, you’ll need two things from this page–the Service Provider URL and a personal access token.

   • Service Provider URL: You can find this on at the bottom of this page.
   • Personal access token: Select ‘create a new one’ in the text above the provider URL. Give the token a name and expiration date. Leave the SCIM provisioning box checked, and click Save. Take note of the token (note: you will not be able to retrieve this later).
     
     

     image.png950×278 14.6 KB

7. Back in Okta, navigate to the Provisioning tab. Under Settings select Integration. Click edit in the SCIM Connection section.

8. Fill in the following settings–

   • SCIM connector base URL: Fill with the Service Provider URL you just collected from Infosec.
   • Unique identifier field for users: Fill with the word ‘email’
   • Supported provisioning actions: Check ‘Push New Users’, ‘Push Profile Updates’, and ‘Push Groups’ boxes.
   • Authentication Mode: Set to ‘HTTP Header’
   • Authorization (Bearer): Fill with the personal access token you just collected from Infosec
     
     

     image.png1029×804 33.9 KB

9. Click the Test Connector Configuration button to ensure that the connection is working. If the test is succesful, click Save

10. Next, click To App under Settings, then click the blue Edit button on the right

11. Check the Enable boxes in each of the following three sections, Create Users, Update User Attributes, and Deactivated Users so that it matches the image below. Click Save.

image.png1130×717 45.5 KB

Now, all users and groups assigned to the application in the Assignments tab of Okta will sync into Infosec Accounts. They will not yet show up in Infosec IQ in the Learners section. To turn on the sync from Infosec Accounts to Infosec IQ follow the remaining steps

10. Navigate back to the Infosec Accounts Dashboard and select the Overview tab
11. Check Sync Enabled? box in the Application links section.
    
    

    image.png1201×170 5.51 KB

Manage the sync from Infosec Accounts to Infosec IQ

As mentioned in the instructions above, once the sync has happened from Okta to Infosec Accounts, it will be synced to Infosec IQ. To manage how these users are converted to learners and to ensure that users are permanently deleted to free up licenses, see our article about the the receiving end of learner syncs, Learner Sync Documentation.