Skip to main content

SCIM Setup for Okta

This walkthrough shows how to set up a SCIM app on Okta to automatically provision users and teams into Catalog.

Contact Catalog Ops

This setup requires you to contact Catalog ops (support@coalesce.io or Slack) to generate and share the required SCIM token you will use to connect your SCIM app to Catalog's SCIM API.

1. Creating a SAML App

  1. Go to your Okta applications and click on Browse App Catalog.

    Okta Browse App Catalog

  2. Then search for SCIM and choose SCIM 2.0 Test App (Header Auth)

    SCIM 2.0 Test App in Okta catalog

  3. And click the Add Integration button.

    Add Integration button

  4. Give the app a proper name and click Next.

    App name configuration

  5. As we will only use this app for provisioning, you do not need to specify proper SAML information. Go to the end of the page and click Done

Done button to complete app setup

2. Setting Up Provisioning

  1. Once in the application, go to the Provisioning tab and click the Configure API Integration button

    Configure API Integration in Provisioning tab

  2. There you will set up provisioning information.

    1. Input Base URL as:
      1. https://api.castordoc.com/auth/scim for accounts using app.castordoc.com
      2. https://api.us.castordoc.com/auth/scim for accounts using app.us.castordoc.com
    2. Add the API token the Catalog ops provided you (or reach out: support@coalesce.io or through Slack)
    3. Test the connection, then save.
Base URL and API token configuration

3. Configuring Mappings

In this part you will craft the mapping between your user and team information in Okta and their Catalog accounts. For that you need to update the two mappings.

  1. In the Provisioning tab, go to the To App section:

  2. Click on Edit and enable Create Users, Update User, and Attributes and Deactivate Users, then Save

    Edit provisioning settings

  3. Click on Go to Profile Editor under the Attribute Mappings to select the desired fields to send to Catalog

    Profile Editor link

  4. In the Profile Editor click on Mappings

    Mappings in Profile Editor

  5. On the CastorDoc SCIM to Okta User tab:

    1. Unmap all fields except appuser.givenName and appuser.familyName (Okta attribute names).
    2. Update the appuser.email to email mapping to appuser.userName to email.
    CastorDoc SCIM to Okta User mappings

  6. On the Okta User to CastorDoc SCIM tab:

    1. Remove all field mappings except user.firstName and user.lastName
    Okta User to CastorDoc SCIM mappings

4. Trigger Provisioning

Once the mapping updates are done, you can start assigning users and groups that will be provisioned to Catalog

Assign users and groups

Troubleshooting

  • If your Catalog user appears without first and last name, ensure their givenName and familyName are filled in their Okta profile.
  • If you had an issue or leakage of your token, reach out to Catalog ops (support@coalesce.io) to reset the token.