Skip to main content

Configure System for Cross-Domain Identity Management (SCIM) for Okta

System for Cross-domain Identity Management (SCIM) is an open specification to manage identities across a wide number of software applications through a single identify provider (IdP) such as Okta. Activating SCIM for ALTR will automate creating, updating and removing ALTR identities from your IdP. ALTR currently support SCIM integrations with Okta.

Prerequisites to enable SCIM in ALTR

When enabling SCIM, make sure you have

  • SSO enabled. Learn more.

  • Administrator access to your identity provider (Okta).

  • An ALTR Enterprise account.

  • Super Administrator access to your ALTR account. Learn more.

Enable SCIM with Okta

  1. Enable Provisioning in Okta for you ALTR application

    1. Select your existing ALTR application in Okta.

    2. Click the General tab.

    3. Under App Settings, click Edit.

    4. For Provisioning, select SCIM.

      Okta_SCIM_-_Enable_Provisioning.png
    5. Click Save.

  2. Configure Okta to connect to ALTR's SCIM API

    1. Click the Provisioning tab.

    2. Select Integration in the Navigation menu (this should be selected by default).

    3. Under SCIM Connection, click Edit.

    4. Open a separate tab/browser.

    5. Log into ALTR and select SettingsPreferences in the Navigation menu.

    6. Click the SSO/SCIM tab.

    7. Select Okta as your IDP.

      Okta_SCIM_-_Enable_Okta_in_ALTR.png
    8. Click Generate. This generates the SCIM URL and bearer token for your Okta organization.

      Important

      The bearer token is only available once and cannot be regenerated. Do not close this page in ALTR until you have finished enabling SCIM.

      Okta_SCIM_-_Base_URL_and_Bearer_Token.png
    9. Copy the base URL from ALTR and paste it into the SCIM connector base URL field in Okta. Do not close the page in ALTR until you have finished enabling SCIM.

    10. In Okta, enter “userName” in the Unique identifier field for users field.

      Warning

      The Unique Identifier field is case sensitive

    11. Select the Import New Users and Profile Updates, Push New Users and Push Profile Updates check boxes.

    12. Select HTTP Header from the Authentication Mode dropdown.

    13. Copy the bearer token from ALTR and paste it into the Bearer field (under HTTP Header). Do not close the page in ALTR until you have finished enabling SCIM.

      Okta_SCIM_-_Connect_to_API.png
    14. Click Save. Okta tests the connection to ALTR. If the changes save without error, you may close the safely close modal in ALTR.

  3. Configure Okta to create, edit, and remove ALTR administrators

    1. Click the Provisioning tab.

    2. Select To App in the Navigation menu (this should be selected by default).

    3. Under Provisioning to App, click Edit.

    4. Select Enable for Create Users, Update User Attributes and Deactivate Users.

      Okta_SCIM-Create_ALTR_Admins.png
    5. Click Save.

  4. (Optional): Enable the optional "ALTR_ADMIN_LEVEL" attribute in Okta

    1. Click the Provisioning tab.

    2. Select To App in the Navigation menu (this should be selected by default).

    3. Under [Application] Attribute Mappings, click Go to Profile Editor.

    4. Click Add Attribute.

    5. Enter "ALTR_ADMIN_LEVEL" in the Display name, Variable name,  External name and External namespace fields.

    6. For Enum, select Define enumerated list of values check box.

    7. For Attribute Members, enter “ADMINISTRATOR" for the Display name and Value fields. These fields are case sensitive.

    8. Click Add Another.

    9. Enter “SUPERADMINISTRATOR" for the Display name and Value fields. These fields are case sensitive.

    10. Click Add Another.

    11. Enter “DATA_CONSUMER" for the Display name and Value fields. These fields are case sensitive.

    12. For Attribute required, select Yes check box.

    13. For Attribute type, select Group.

      Okta_SCIM_-_Enable_ALTR_ADMIN_LEVEL.png
    14. Click Save.

  5. Provision users to ALTR

    1. Navigate to your ALTR application in Okta.

    2. (Optional) Under the Import tab, import your existing ALTR administrators to this Okta application. Okta accesses a list of existing ALTR administrators and attempt to match them to Okta identities based on Username.

    3. Click the Assignments tab.

    4. Select AssignAssign to People.

      Okta_SCIM_-_Provision_users.png
    5. Edit the Okta user to assign to ALTR.

    6. (Optional) If you created the custom ALTR_ADMIN_LEVEL, indicate whether the user should be an ADMINISTRATOR, SUPERADMINISTRATOR or DATA_CONSUMER. Learn more.

    7. Click Save to finish provisioning the user.

    8. Repeat these steps for each user that should have access to ALTR.

Deactivating SCIM

If you choose to deactivate SCIM, then reach out to support@altr.com.

Note

When SCIM is deactivated, ALTR will maintain the existing administrator configuration at the time it happened. That is, the same users that have ALTR accounts while SCIM was enabled will continue to have accounts when SCIM is disabled. Disabling SCIM will also re-enable the non-SCIM routes to manage administrators, so that users can once again manually create, edit, or deactivate admins directly in ALTR.