System for Cross-domain Identity Management (SCIM) is an open specification to manage identities across a wide number of software applications by easily creating, editing and managing accounts through a single identify provider (IdP) such as Okta. Setting up SCIM for your organization will help to automate your individual users' access to ALTR. Our first release of SCIM is tested to work with Okta.
Once your organization has enabled SSO, the option to activate SCIM will become available for ALTR Administrators. This entails indicating which IdP you are using and generating the URL and token in ALTR for the SCIM endpoints.
Once the URL and token are generated, then you must provide that information to Okta so that it can make API calls to ALTR to manage administrators. You should only generate the URL and token if you intend to activate SCIM. Generating the URL and token activates SCIM in ALTR and cannot be undone.
Follow the steps below to provision users with SCIM. It's a three-stage process.
NOTE: Users are created as a 'SUPER ADMINISTRATOR' by default.
Stage 1. Enable SSO and Provision SCIM in Okta
Find the ALTR app for your organization in Okta and select SCIM
First, make sure that SSO is already enabled for your organization. If it's not, then read the details at Configuring SSO for Okta.
Next, sign into Okta as an Administrator.
From the left-side menu bar, click on Applications > Applications.
Find the ALTR application for your organization.
Click on General > and under App Settings click on Edit.
Scroll down to Provisioning and click the SCIM radio button as shown in figure 1.
Click on Save.
Generate the bearer token
Click on the Provisioning tab of the Integration section.
Under SCIM Connection, click on Edit
From the ALTR application, generate the bearer token as shown in figure 2.
Copy the SCIM Base URL (shown in the figure 3 example) into the SCIM Connector Base URL field of Okta that's shown in figure 4a.
From the Supported Provisioning Actions section, select the first 3 checkboxes and click Save. See figure 4b for context.
Under Authentication Mode (shown in figure 4a), change the setting in the dropdown list from Basic Auth to HTTP Header. This will cause an HTTP Header section to appear below and a 'Bearer Token' text field to paste the token inside of. After you've done this, click Test Connector Configuration to make sure the app is working properly.
Stage 2. Add the userName Value for Your Organization
From the ALTR Platform SAML Test Applications page in Okta, click on the Integration tab under the Settings menu. See figure 5.
From the SCIM Connection section, click on Edit. Add the value 'userName' in the Unique ID field for usersbecause ALTR only allows you to have a single username in each organization. The userName field is case sensitive so be sure to copy it into the 'Unique Identifier field for users' field in the correct case type.
Click on Save.
Click on Test Connector Configuration. A Test Connector Configuration window will display and show a 'Connector configured successfully' confirmation message. See figure 6.
Stage 3. Assign Your Individual Users
Next, from the Settings 'To App' submenu in the left menu navigation, select the Provisioning tab and click Edit.
Click Enable for 'Create Users', Update User Attributes, and 'Deactivate Users'. See figure 7.
Click on the Assignments tab and from there you can begin assigning individual users from your organization by clicking on Assign to People. See figure 8.
Note: Although SCIM supports groups of users, ALTR only supports individual users.
As stated above, users are created as a 'SUPER ADMINISTRATOR' by default; therefore, if you prefer to assign someone as an 'Administrator' instead, then you'll need to go into the Add Attribute section of Okta and add an 'ALTR Admin Level' value for the user's profile. See figure 7b.
NOTE: When SCIM is deactivated, ALTR will maintain the existing administrator configuration at the time it happened. That is, the same users that have ALTR accounts while SCIM was enabled will continue to have accounts when SCIM is disabled. Disabling SCIM will also re-enable the non-SCIM routes to manage administrators, so that users can once again manually create, edit, or deactivate admins directly in ALTR.
Frequently Asked Questions
Q. What protocol does ALTR use to perform SCIM?
A. SCIM version 2.0
Q. What happens if SCIM is manually disabled for an organization?
A. ALTR will retain all administrator information from the time SCIM was disabled. Users will once again be able to manage administrators directly in ALTR
IdPs that ALTR supports to work with SCIM
Q. Which SSO/SCIM Providers does ALTR support?
A. Our first release of SCIM is tested to work with Okta.
Usernames and Org IDs
Q. What happens if a user forgets their Org ID or Username?
A. Users will be able to retrieve a list of all of their organizations and usernames in an ALTR environment by providing their email address.
Q. Does ALTR support groups of users?
A. Although SCIM supports groups of users, ALTR only supports individuals.
Testing Configuration Result
Q. What should I do if my testing configuration isn't successful?
A.Review your forms to make sure that you've filled out everything correctly. If you have and still don't get a successful test result, then email firstname.lastname@example.org
Thank you! We appreciate your feedback.
Oops! Something went wrong while submitting the form.