SCIM in Ironclad with Okta

  • Updated
Follow

Skip to:

Prerequisites

  • You must be able to create Ironclad API bearer tokens in your Ironclad company.
  • You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM. See Okta SSO/SAML Integration for instructions. If you've previously configured a custom SAML connector using an older version of our Okta SSO/SAML Integration documentation, please contact support@ironcladapp.com for help migrating your Ironclad users to the Ironclad OIN connector.

Supported Okta Features

  • Create Users
  • Update User Attributes
  • Deactivate Users
  • Push Groups

Configuration Steps

Create a Bearer Token

  1. Login to Ironclad with a company Admin account and navigate to the Company Settings page by clicking your name in the top-right corner of the application and choosing Company Settings.
  2. Navigate to the API tab.
  3. Create a new bearer token for use by Okta. Name it something descriptive and memorable (e.g. "Okta SCIM provisioning token").
  4. Copy the generated token that appears.

image-0.png

Enable API Integration in Okta

  1. Log in to your Okta admin account and add the Ironclad application.
  2. From the application's configuration screen, navigate to the Provisioning tab.
  3. Click Enable API Integration.
  4. Enter the base URL for the Ironclad stack you're configuring in the SCIM 2.0 Base URL field. In a production Ironclad instance, this URL is https://ironcladapp.com/scim/v2.
  5. Enter the token you created above into the OAuth Bearer Token field.
  6. Click Test API Credentials to confirm the connection works.

Screen_Shot_2020-07-13_at_13.37.51.png

Assign Users to the Ironclad Application

Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company. See Okta SSO/SAML Integration for instructions.

  1. In Okta, select the Assignments tab.
  2. Click the Assign button and select either Assign to People or Assign to Groups* to configure which users are pushed into Ironclad according to your needs.

*Assign to Groups does not cause groups to be created in Ironclad. For that functionality, use Push Groups.

 

Push Groups

  1. In Okta, select the Push Groups tab.
  2. Click the Push Groups button and select either Find groups by name or Find groups by rule and configure which groups are pushed into Ironclad according to your needs.

Next Steps: Configure Group Permissions in Ironclad

Group permissions must be managed in Ironclad after pushing groups via SCIM. See Managing Permissions for more details about these settings.

Troubleshooting & Tips

Known Limitations

  • Ironclad does not support changing a user's email or userName fields via SCIM.
  • Ironclad does not support "deactivated" or "suspended" users. Users deactivated in Okta will be soft-deleted in Ironclad.
  • The use of SCIM to manage users who are members of multiple companies is not supported.
  • The use of SCIM in a company with multiple SAML connectors is not supported.

Importing of Groups

Upon configuring provisioning in Okta, you may find that preexisting groups from your Ironclad account appear in Okta in a read-only state. If this is not desired, you may disable group import.

To disable group import, follow the instructions from the "Remove groups imported from provisioning-enabled apps" article in Okta's help center.

  • If any imported groups are not removed, they must be removed via Okta's API with a remove group call.
  • If the Import Groups checkbox isn't present, you must contact Okta support and request that SELECTIVE_APP_IMPORT_PLATFORM be enabled.

If you encounter issues configuring SCIM with Okta in your Ironclad company, contact support@ironcladapp.com.

Related articles