Okta SCIM Integration

SCIM stands for System for Cross-domain Identity Management. It is an open standard for automating the management of user and group membership.

This document will walk through setting up SCIM based user and group setup with Okta. Okta's documentation for these steps is available at https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm

DeltaStream and Okta SCIM Concepts

DeltaStream's SCIM integration automates adding/removing Users from your Organization and granting access to DeltaStream Roles by leveraging Okta groups. There are two types of groups within Okta:

Assignment groups manage access to Okta App Integrations. Users added to the assignment group are automatically added to DeltaStream but are not assigned any custom roles.

Push Groups enables Okta to push existing Okta group memberships to DeltaStream. These groups are mapped to Custom Roles within DeltaStream.

Push groups cannot be used to control access to built-in roles. OrgAdmin role membership is achieved by using a custom user attribute and a dedicated Assignment group.

Custom roles created using Push groups are not automatically granted any privileges. Privileges must be granted to the Roles with MANAGE_GRANTS privilege (OrgAdmin or SecurityAdmin by default).

Note that a user must be added to an assignment group before adding them to a push group.

SCIM Setup

Prerequisites

  1. Setup Okta SAML app integration.

Enable SCIM Provisioning

This section enables SCIM provisioning on an App Integration. Additional configuration will be added in subsequent sections.

  1. Select the "General" tab, click the "Edit" button for the "App Settings".

  1. Select the checkbox for "Enable SCIM provisioning" and click "Save"

Setup DeltaStream OrgAdmin attribute

This section creates a new custom attribute which will be used to indicate users who should have access to the OrgAdmin built-in role.

  1. Navigate to "Directory" -> "Profile Editor" on the menu on the left.

  2. Click on "DeltaStream Users".

  3. Click the "Add Attribute button"

  1. Create a new boolean attribute with following values:

KeyValue

Data type

boolean

Display name

DeltaStream OrgAdmin

Variable name

deltastreamOrgadmin

External name

deltastreamOrgadmin

External namespace

urn:ietf:params:scim:schemas:core:2.0:User

Setup DeltaStream OrgAdmin User Assignment Group

This section creates a new assignment group for OrgAdmins. Any users assigned to this group will be granted OrgAdmin role on DeltaStream.

  1. Navigate to "Directory" -> "Groups". Click the "Add group" button.

  1. Name the group "DeltaStream OrgAdmins" and click the "Save" button.

  1. Click on the newly created group to configure it. Navigate to the "Applications" tab, click the "Assign applications" button.

  1. Assign the "DeltaStream" application.

  1. Ensure that "DeltaStream OrgAdmin" attribute is set to "true" and Save the group.

Setup DeltaStream User Assignment Group

This section creates a new assignment group for non-privileged users.

  1. Navigate to "Directory" -> "Groups". Click the "Add group" button.

  1. Name the group "DeltaStream Users" and click the "Save" button.

  1. Click on the newly created group to configure it. Navigate to the "Applications" tab, click the "Assign applications" button.

  1. Assign the "DeltaStream" application and Save the group.

SCIM user provisioning

Assign a user to the Org admin assignment group

  1. Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Assignments" tab. Filter by "Groups" Click on the "DeltaStream OrgAdmins" group.

  1. Click "Assign people", and select the users you would like to assign as OrgAdmins. NOTE: Ensure that the User provided as the Org admin for SAML application setup is also added to this group:

Assign a user to the Users assignment group

  1. Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Assignments" tab. Filter by "Groups" Click on the "DeltaStream Users" group.

  1. Click "Assign people", and select the users you would like to have access to DeltaStream. Assigning users does not grant them any additional roles. Configure a push group to assign roles.

Configure security integration

This Section configures the SCIM integration URI and Token so that Okta can push information to DeltaStream.

  1. Log into your DeltaStream and create a new SCIM security integration.

USE ROLE securityadmin;
CREATE SECURITY INTEGRATION "okta" WITH ( 'type' = SCIM, 'scim.client' = OKTA );

URI: https://api.deltastream.io/scim/v2
Token: eyJh...

  1. Navigate to the applications menu and click the "DeltaStream" application.

  2. On the "Provisioning" tab, Click the "edit" button.

  1. Copy the URI from the security integration setup in step (1) to the SCIM connector base URL. Enter email for Unique identifier field for users. Check the boxes for "Import New Users and Profile Updates", "Push New Users", "Push Profile Updates", and "Push Groups". Select the "HTTP Header" Authentication Mode and copy the token from the security integration setup in step (1) into the Authorization Bearer field. Click the "Save" button the complete the initial setup.

  1. On the "Provisioning" tab, under the "Provisioning to App" settings, click the "edit" button.

  1. Enable "Create Users", "Update User Attributes", and "Deactivate Users" and click "Save".

Configure push groups

Before beginning, ensure that all users that need access to DeltaStream have been added to either the "DeltaStream Users" or "DeltaStream OrgAdmins" assignment groups.

  1. Navigate to "Application" -> "Applications" -> "Deltastream". Select the "Push Groups" tab. Click on the "+ Push Groups" button to search for and select a group to push.

2. Select "Find groups by name"

  1. Type in the name of the group (e.g. development) to push. Select "Push group memberships immediately". Click the "Save" button.

This will create a Role with the same name as the group in DeltaStream. Any users that are part of the group will also be assign the Role.

References

PreviousOkta SAML IntegrationNextSQL Syntax

Last updated