User Provisioning in OKTA

Last edited:

Overview

Prior to configuring and testing the app in OKTA, ensure that the SCIM feature is enabled for your company in RFPIO. If not, testing your connection fails with a 403 response code.

Troubleshooting and Tips

  • If the SCIM feature is not enabled for your company in RFPIO, testing your connection fails with a 403 response code.
  • Ensure a default role and business unit are selected at the application level in Organization Settings > Security before proceeding with the setup in the OKTA.
  • Email addresses are the primary/unique identifier, so ensure they get mapped.
  • The rfpio_user_role and costCenter (business unit in RFPIO) fields are non-editable. These are set during creation/app assignment.
  • The RFPIO username should be unique.
    • userName and email address are the same in the RFPIO side.
    • userName is a non-editable field.

Configuring User Provisioning in OKTA

  1. Login to OKTA and click the Applications tab, then click Add Application.
    mceclip0.png
  2. Type RFPIO in the Search field and click Add. The Add RFPIO-General Settings tab displays.
    mceclip1.png
  3. Click Next to go to the Sign-On Options page.
    mceclip2.png
  4. Select Email from the Application username format drop-down list; then click Done.
    mceclip3.png

Generating OAuth Bearer Token from RFPIO

To generate OAuth bearer token, you can follow the steps below:

  1. From Organization Settings, select Security > SCIM and turn on the Auto User Provisioning toggle.
    mceclip4.png
  2. Click Generate SCIM API Token, select the appropriate options from the Default Business Unit (if enabled) and Default User Role drop-down lists, then click Submit. A warning message displays alerting you to copy your API token and store it.
    mceclip5.png

    mceclip6.png
  3. Click Got It! on the warning message. The SCIM window displays.
  4. Click the Copy icon to copy the token, then click Submit.
    2020-07-22_15-17-13.png
  5. Go to OKTA > Provisioning > Integration and paste the copied API token in the OAuth Bearer Token field.
    Sample API Token: s-8c7d34c30c17092bsdffdfdsergnghuy201e67-5c6426ce9b2ffe0ererer5b4
    mceclip8.png
  6. Type https://app.rfpio.com/rfpserver/scim/v2 in the SCIM 2.0 Base URL field, then click Test API Credentials.
  7. Click Save once the credentials are tested successfully.
  8. Click the To App tab and click Edit.

 mceclip9.png 

  1. Select the checkbox associated with Enable for Create Users, Update User Attributes, and Deactivate Users.

mceclip10.png 

  1. Click Save.

 Supporting Attributes

Attribute

Value

Given name

user.firstName

Family name

user.lastName

Title

user.title

Primaryphone

user.primaryPhone

Time zone

user.timezone

*Cost center(optional & custom)

user.costCenter ( This is applicable only if business unit is enabled in RFPIO)

*rfpio_user_role(optional & custom)

user.user_role ( RFPIO Internal value which specifies the role name. If not given while provisioning, default role would be set)

Note: Cost center and User role are optional attributes. The default value for both costCenter and user role can be set in the RFPIO application while generating bearer token.

mceclip12.png

  1. Click To Okta tab. Scroll down and click Go to Profile Editor.
  2. Click Add Attribute.

mceclip13.png

  1. The Add Attribute pop-up will be displayed. Enter the values in the field provided and then click Save.

Display Name

rfpio_user_role

Variable Name

rfpio_user_role

Description

Internal value that indicates the Role name in RFPIO. This must match with the available role names in RFPIO account.

mceclip15.png

The newly added attribute will be displayed as shown below:

mceclip14.png

  1. Click Provisioning tab and scroll down to Go to Profile Editor.

mceclip16.png

  1. Click Mappings to map the attributes.

mceclip17.png  

  1. The User Profile Mappings page will be displayed. Click to Map the rfpio_user_role attribute to user_role from the drop-down.

mceclip18.png

  1. Click OKTA to RFPIO tab and then map the user_role attribute to rfpio_user_role from the drop-down.

mceclip19.png        

  1. Click Save Mappings.

mceclip20.png  

  1. The RFPIO SCIM User Profile Mappings page will be displayed. Click Apply updates now.

mceclip21.png

Once the attribute is mapped, it will be displayed as shown below:

RFPIO To App Mapping:

mceclip22.png 

RFPIO To Okta Mapping:

mceclip23.png 

 

User Provisioning/De-provisioning in RFPIO

The following items regarding user provisioning/deprovisioning are covered below:

  • Adding users
  • Updating users
  • Deleting users

Adding Users

Users are added to RFPIO along with their role, once they are assigned to the SCIM application.

In SCIM:

mceclip24.png  

In RFPIO:

mceclip25.png 

If the role or business Unit is not specified in the user profile, the default role (Team Member) or default business unit is assigned to the user. 

Updating Users

User profiles are updated in RFPIO when any of the below attributes are modified for the assigned application user in OKTA.

  • Given name
  • Family name
  • Primary phone
  • Title
  • Time Zone

Emails, user roles, and business units cannot be updated; they can be set only during user creation.

Deleting Users

If users are removed from the SCIM application, they are rendered inactive in RFPIO.

To delete a user from SCIM:

  1. Click the Delete icon associated with the user to be removed.

mceclip26.png 

A confirmation pop-up displays as shown below:

mceclip27.png 

  1. Click OK. The user is displayed as inactive in RFPIO.

mceclip28.png

Was this article helpful?
1 out of 1 found this helpful

Related articles

Top