Adding SCIM to Okta
Verify that your organization meets the requirements below for adding SCIM to Okta, then follow the configuration instructions to set it up.
Prerequisites
The goal of adding SCIM to your existing Okta-to-O’Reilly SAML SSO integration is to have Okta become the “source of truth” for user access to the O’Reilly learning platform at your organization.
When Okta is the source of truth, the following principles apply:
- If a user is assigned to the O’Reilly SAML application in Okta, they have access to O’Reilly and occupy an O’Reilly seat/license.
- If a user isn’t assigned to the O’Reilly SAML application in Okta, they don’t have access to O’Reilly and don’t occupy an O’Reilly seat/license.
After configuring Okta to use SCIM with O’Reilly, you should no longer use O’Reilly’s User Management page in the Admin Console to manage users. Once Okta manages your O’Reilly users automatically via SCIM, any user changes made outside of Okta cause misalignment between Okta and O’Reilly. Misalignment can result in a number of issues, including:
- Failure to automatically remove users who are no longer members of your organization
- Duplicating (rather than updating) an O’Reilly user whose email address has changed
- Running out of O’Reilly licenses unexpectedly
So prior to adding SCIM to Okta, it’s necessary to align your O’Reilly and Okta user access lists. To do so, complete the following steps:
- Confirm the maximum number of seats/licenses in your organization’s O’Reilly account.
- Review which users at your organization are currently activated in the O’Reilly learning platform.
- Review which users at your organization are currently assigned to the O’Reilly SAML application in Okta.
- Compare the two lists of users to ensure that the activated users in O’Reilly are the same as the users who are assigned to the O’Reilly SAML application in Okta.
These steps, which are detailed below, will need to be performed by your O’Reilly account admin (who has access to the User Management page) in cooperation with your Okta admin (who manages Okta for your organization, which generally falls under IT support).
- Your O’Reilly account admin can determine your organization’s maximum number of O’Reilly seats by doing the following:
- Log in to the O’Reilly learning platform and click Admin in the top right corner.
- Click on the Account tab.
-
Check the number in the Max user access field.
- Your O’Reilly account admin can download a CSV of your organization’s currently activated users by doing the following:
- Log in to the O’Reilly learning platform and click Admin in the top right corner.
- Click User Management.
- Verify that the Show: Activated filter is selected.
-
Click the Download List button.
- Your Okta admin can export a list of users at your organization who are currently assigned to the O’Reilly SAML application in Okta by following the instructions in Okta’s knowledge base article “.”
- Your O’Reilly account admin and your Okta admin should then compare their O’Reilly and Okta user access lists to ensure that the activated users in the O’Reilly learning platform are identical to the users who are assigned to the O’Reilly SAML application in Okta. Once a one-to-one user relationship has been established between O’Reilly and Okta, your Okta admin may proceed with enabling SCIM in Okta.
For more information on how to enable SCIM in Okta, see the Configuration section below.
If you have any questions about best practices when adding SCIM to your organization’s integration with O’Reilly, please reach out to your CSM or the O’Reilly integration team at
Configuration
Please obtain the required SCIM API token from the Integrations page of your Admin Console or from your customer success manager. Once you have the token, follow the steps below to implement SCIM for the O’Reilly learning platform with Okta.
-
In the Okta Admin Console, navigate to your O’Reilly application and click the General tab, then click Edit. In the Provisioning section, select SCIM. Click Save.
-
Select the Provisioning tab, which should appear after enabling SCIM in step 1, then click Edit and fill in the following:
- SCIM connector base URL:
- Unique identifier field for users: This should match what you configured for the SSO integration. The default configuration for Okta is generally userName.
- Supported provisioning actions: We currently support Import New Users and Profile Updates, Push New Users, and Push Profile Updates. We don’t support Push Groups or Import Groups at this time.
- Authentication Mode: Select HTTP Header from the dropdown list and the HTTP Header section will appear below. In the Bearer field, enter the SCIM API token you should have received from your customer success manager.
-
Once you’ve added the relevant info, click Test Connector Configuration. If it’s successful, you’ll see a confirmation message. Once you receive confirmation of a successful test, click Save.
-
Click the To App option on the left and choose from the following functions the O’Reilly SCIM API can support in Okta. (We recommend selecting all three).
- Create Users: A user will be created in the O’Reilly platform when you assign them to the O’Reilly learning platform application in Okta.
- Update User Attributes: When you change a user’s name or email address in Okta, these changes will be pushed to the O’Reilly learning platform.
- Deactivate Users: If you remove permission for a user in Okta, the user will be updated to “revoked” status in the O’Reilly learning platform.
Supported attributes
SCIM user profile attribute name Okta user profile attribute name userName user.userName givenName user.firstName familyName user.lastName email user.email Once you’ve selected the supported actions for SCIM provisioning and updated the attribute mappings, click Save at the bottom of this section.
-
Check the To Okta option on the left to review the default settings, as we don’t support making user changes from O’Reilly to Okta at this time.
-
Click the Assignments tab. You should see the list of users who’ve been assigned the O’Reilly learning platform in Okta. Then click the Provision User button to sync Okta with the O’Reilly app. Once this is complete, your Okta Integration is now ready to use SCIM.
SAML and SCIM support
If you have any questions during or after the integration, please reach out to your customer success manager or the O’Reilly integration team at