SCIM (system for cross-domain identity management) allows your application to communicate on a recurring basis with your organization's IDP.

SCIM Setup helps you use SCIM without integrating your product directly with Okta. You will instead integrate with SCIM Setup, which will communicate with Okta on your behalf.

Connecting SCIM Setup to your Okta implementation requires that you share two pieces of information with Okta, both of which you’ll find in SCIM Setup:

However, configuring Okta can involve a few more steps. This guide therefore starts by focusing briefly on SCIM Setup and subsequently focuses on Okta configuration.

To create a SCIM Directory within SCIM Setup, you’ll first need to create an Environment and an Organization. SCIM Directories belong to Organizations. You can create a SCIM Directory for an Organization by navigating to the Organization in SCIM Setup and selecting Create SCIM directory.

From there, you can find the base URL and generate the bearer token you’ll need. Hold onto these.

SCIM Setup does not store bearer tokens. You will not be able to access the bearer token in SCIM Setup again. You may at any time, however, replace the existing bearer token with a new one. When you create a new bearer token, you simultaneously invalidate the previous bearer token.

Before you continue, ensure that you have set the SCIM directory primary field to Yes - you can make this change by clicking on the Edit button.

Once you have created a SCIM Directory in SCIM Setup and taken note of both the base URL and the bearer token, you have finished with SCIM Setup configuration.

Once there’s a SCIM Directory in SCIM Setup, you can connect that SCIM Directory to your Okta instance.

Start by navigating to the relevant application in Okta.

Make sure you’re on the General tab and press Edit on the App Settings card.

Make sure the Provisioning box shows a checkmark. By default, Okta leaves this box unchecked.

Press Save in the lower right corner.

Navigate to the Provisioning tab for the Application.

On the Provisioning tab, click the Edit button toward the top right of the card.

Look for a field marked SCIM connector base URL. This will be the base URL from the SCIM Setup configuration. Paste the base URL from SCIM Setup.

Next, look for a field marked Unique identifier field for users. We need this to say “email” exactly. SCIM Setup relies on users’ emails as a unique identifier.

Look for a series of checkboxes labeled Supported provisioning actions. You will see five checkboxes. Set your configuration to match the following:

Ensure that Import Groups remains unchecked. The SCIM Connection will fail otherwise.

Now look for a dropdown menu labeled Authentication Mode. This must change from its default value to HTTP Header.

Now paste the bearer token from SCIM Setup in the field marked Authorization.

Then once more hit Save in the lower right.

Now look in the sidebar to the left and find the item marked To App. Click this.

You’ll see four checkboxes. Set them to match the following:

Ensure that Sync Password remains unchecked.

Then press Save in the lower right.

Now navigate to the Assignments tab.

Using the Assign dropdown, choose to assign the relevant People (i.e. users) or Groups. This guide uses People.

You’ll now see a list of People. For each that you wish to assign to the Application, press the Assign button to the right.

You’ll have the opportunity to edit this person’s attributes, but it’s usually fine just to scroll down and press Save and Go Back.

Unless you wish to add other People to the Application, you can now press Done.

Within a few moments, the user will sync in SCIM Setup. You can see any changes by navigating back to the SCIM Directory’s page in SCIM Setup.