Configure System for Cross-Domain Identity Management (SCIM) for Okta

Enable Provisioning in Okta for you ALTR application

1. Select your existing ALTR application in Okta

2. Navigate to the "General" tab

3. Under "App Settings", select "Edit"

4. Update "App Settings" so that "Provisioning" is set to "SCIM"

5. Click Save

Configure OKTA to connect to ALTR's SCIM API

1. Navigate to the "Provisioning" tab in your Okta application

2. Navigate to "Integration" on the left-hand nav (this should be selected by default after step 1)

3. Under "SCIM Connection", click "Edit"

4. In a separate tab or browser, navigate to the SSO/SCIM page in ALTR's Settings UI (/settings/preferences/sso).

5. Select Okta as your IDP in ALTR

6. Click the "Generate" button in Okta. This will generate the SCIM URL and bearer token for your Okta organization. Do not close this page in ALTR until you have finished enabling SCIM.

7. Copy the Base URL from ALTR and paste it into the "SCIM connector base URL" field in Okta. Do not close the page in ALTR until you have finished enabling SCIM.

8. In Okta, enter "userName" under Unique Identifier field for users.

   Warning

   The Unique Identifier field is case sensitive

9. In Okta, check the boxes for "Import New Users and Profile Updates", "Push New Users", and "Push Profile Updates"

10. In Okta, set "Authentication Mode" to "HTTP Header"

11. Copy the token from ALTR and paste it into the "Authorization" field (in the "HTTP Header" section) in Okta. Do not close the page in ALTR until you have finished enabling SCIM.

12. Click "Save". Okta will test the connection to ALTR. If the changes save without error, you may close the safely close the SCIM URL and token in ALTR.

Configure Okta to create, edit, and remove ALTR administrators

1. Navigate to the "Provisioning" tab in your OKTA application

2. Navigate to "To App" on the left-hand nav (this should be selected by default)

3. Under "Provisioning to App", select "Edit"

4. Check the boxes for the following actions: "Create Users", "Update User Attributes", and "Deactivate Users"

5. Click Save

(Optional): Enable the optional "ALTR_ADMIN_LEVEL" attribute in OKTA

1. Navigate to the "Provisioning" tab in your Okta Application

2. Navigate to the "To App" section in the left navigation (this should be selected by default)

3. Under "Application Attribute Mappings", select "Go to Profile Editor"

4. Click the "Add Attribute" button

5. Enter "ALTR_ADMIN_LEVEL" for the following fields: "Display name", "Variable name",  "External name", and "External namespace"

6. Under "Enum", select "Define enumerated list of values"

7. Under "Attribute Members", create a value with the display name and value "ADMINISTRATOR". This is case sensitive.

8. Under "Attribute Members", create a value with the display name and value "SUPERADMINISTRATOR". This is case sensitive.

9. Under "Attribute Members", create a value with the display name and value "DATA_CONSUMER". This is case sensitive.

10. Under "Attribute Required", check the box to indicate that this is a required field for identities

11. Select "Read Only" under "User Permission"

12. Click "Save"

Provision users to ALTR

1. Navigate to your ALTR application in OKTA

2. (Optional) Under the "Import" tab, import your existing ALTR administrators to this OKTA application. OKTA will access a list of existing ALTR administrators and attempt to match them to OKTA identities based on Username.

3. Navigate to the "Assignments" tab

4. Click the "Assign" button

5. Click "Assign to People".

6. Select an OKTA user to assign to ALTR.

7. (Optional) If you created the custom ALTR_ADMIN_LEVEL attribute in step 4, indicate whether the user should be an Administrator, Superadministrator or Data Consumer.

8. Click "Save and Go Back" to finish provisioning the user

9. Do this for each user that should have access to ALTR