The topic will walk you through how to use Okta SCIM with Ironclad. This includes how to create a SCIM scoped token, enable the integration, assign users to Ironclad, push groups, and troubleshoot.
Disclaimer: If you change your domain, your access to Ironclad is prohibited. Submit a request with our Support Team for assistance before migrating a domain. Also submit a request with our Support Team before deprovisioning any users as this may block your ability to continue your workflows.
Prerequisites
- You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM. To learn how to do this, refer to Okta SSO/SAML Integration. If you've previously configured a custom SAML connector using an older version of our Okta SSO/SAML Integration documentation, please submit a request with our Support Team for help migrating your Ironclad users to the Ironclad OIN connector.
Supported Okta Features
- Create Users
- Update User Attributes
- Deactivate Users
- Push Groups
Step 1: Create a SCIM Scoped Token
Required Role: Admin- In Ironclad, navigate to Company Settings > Integrations > SAML
- At the top, select the SCIM Configuration tab.
- Under Token Generation, enter a descriptive name for the token.
- Click + Generate New Token.
- Copy and paste the new token into your identity provider's setup.
- Save this token in a safe place. Once you close the window, you will not be able to access it again.
Step 2: Enable API Integration in Okta
- Log in to Okta as an admin. Verify you are in the Admin Dashboard.
- In the left navigation bar, click Applications > Applications.
- Select the Ironclad application that was created when setting up SSO.
- Select the Provisioning tab, then click Configure API Integration.
- Turn on Enable API Integration.
- In the Base URL field, enter the base URL for the Ironclad stack you're configuring. In a production Ironclad instance, this URL is https://ironcladapp.com/scim/v2. In an EU1 instance, the URL is https://eu1.ironcladapp.com/scim/v2.
- In the API Token field, paste the API token you created above.
- Click Test API Credentials to confirm the connection works.
- Click Save.
Step 3: Assign Users to the Ironclad Application
Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company. Refer to Okta SSO/SAML Integration for instructions.- In Okta, within the Ironclad application, click the Assignments tab.
- Click the Assign button and either select Assign to People or Assign to Groups* to configure which users are pushed into Ironclad.
Step 4: Push Groups
- In Okta, within the Ironclad application, select the Push Groups tab.
- Click the Push Groups button and either select Find groups by name or Find groups by rule. Configure which groups are pushed into Ironclad.
Step 5: Configure Group Permissions in Ironclad
You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.Step 6: Map Custom Attributes in OKTA
Create Attribute Definition
- In Okta, in the left navigation bar, select Directory > Profile Editor.
- Select the Ironclad application.
- Click Add Attribute. An example configuration for the “title” attribute is shown below. Note the specific values for the external name and external namespace.
- Click Save.
- Click Mappings, then select Okta User to Ironclad. Map the attribute.
Mapping Examples
When creating attributes, the "External name" and "External namespace" settings must match exactly and are recorded below for each custom attribute. Additionally, refer to Supported User Attributes to understand which schema the attributes belong to - this will define the namespace value.-
User’s Title
- External name: “title”
- External namespace: “urn:ietf:params:scim:schemas:core:2.0:User”
-
User's Department
- External name: “department”
- External namespace: “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User”
-
User’s Management Level
- External name: “managementLevel”
- External namespace: “urn:ietf:params:scim:schemas:extension:ironclad:2.0:User”
Troubleshooting and Tips
Known Limitations
- Ironclad does not support "deactivated" or "suspended" users. Users deactivated in Okta are soft-deleted in Ironclad.
- The use of SCIM to manage users who are members of multiple companies is not supported.
- The use of SCIM in a company with multiple SAML connectors is not supported.
Import Groups
When configuring provisioning in Okta, you may find that preexisting groups from your Ironclad account appear in Okta in a read-only state. If you do not want this, you may disable group import.To disable group import, refer to Remove Groups Imported from Provisioning-Enabled Apps in Okta's Help Center.
- If you do not remove any imported groups, you must remove them via Okta's API with a remove group call.
- If the Import Groups checkbox isn't present, you must contact Okta support and request that SELECTIVE_APP_IMPORT_PLATFORM be enabled.