Learn how to set up Okta SCIM for Single Sign-On, create users and groups, import users and groups, update certain user attributes, and even deactivate users through the Okta application. We'll also provide some troubleshooting tips in case you run into any issues.
Skip Ahead to...
Before you can start provisioning users and groups, please complete the following actions:
- An Egnyte Admin account is needed to perform all of the provisioning actions from Okta.
With the new Okta SCIM provisioning, you can complete the following actions:
- Create Users: Users assigned to the Okta Egnyte application will be automatically created and registered in the associated Egnyte domain. Provisioned users will be able to log into their Egnyte account through the Okta SSO or by clicking their Egnyte application from their Okta home page.
- Create Groups: Groups and their members can be assigned and pushed from Okta to Egnyte. Groups can also be linked to an existing Group in Egnyte. For the membership to be assigned, Users who are members of the respective Groups need to be first assigned to the Okta Egnyte app.
- Update User Attributes: Updates made to the user’s Okta profile will also update the associated attributes in the user’s Egnyte profile according to attribute mapping set for the application. See the Configuration Instructions section of this article for more details.
- Deactivate Users: Deactivating the user or disabling the user’s access to the Egnyte application through Okta will result in deactivating the user’s account on the associated Egnyte domain. The user will not be deleted in Egnyte and can be reactivated manually if required.
- Import Users: Importing users through Okta will list all of the users from the associated Egnyte domain and allow them to be linked to existing Okta users or to create new Okta users. Users associated with the Egnyte application in Okta will be able to log in as previously described. User attributes will be assigned according to the attribute mapping set for the application. Check out the Configuration Instructions section of this article for more information.
- Import Groups: Importing users through Okta will also import their associated Groups. Such groups can be assigned to Egnyte application and will contain the same users (as long as they are assigned to Okta as well).
Before you continue with the steps below, please ensure you've completed the requirements and are logged in as an Admin user in Okta.
- In Okta, go to the Applications tab and select Add Application. Type “Egnyte” in the search field and select Egnyte SCIM 2.0.
- Make sure the Subdomain setting under General Settings is configured to your Egnyte domain name and click Next.
- In Sign-On Options, select SAML 2.0, open the View Setup Instructions in another tab for later, and download the Identity Provider metadata as a .xml file for easier configuration with Egnyte.
- Under the Credentials Details section, it's advised to set the Application username format to Email prefix. Click Done.
- To continue the setup in Egnyte, log into the Egnyte account as an Administrator.
- Open the menu (3 horizontal lines), select Settings from the drop-down, and open the Security & Authentication tab.
- Scroll down to the Single Sign-On Authentication section, select SAML 2.0 from the Single sign-on authentication drop-down, and choose Okta from the Identity provider drop-down.
- Enter the information provided in the Setup Instructions you got from Okta earlier in the following fields:
Identify provider login URL
Identify provider entity ID
Identify provider certificate
API key*: This will be needed if SSO users will access (S)FTP or WebDAV. See the steps below.
Default user mapping: Select the appropriate option from the drop-down.
*To generate an Okta API key, navigate back to Okta, open the Security tab, and select API. Open the Tokens tab, click Create Token, enter a name for the token, and click Create Token to generate the key. Copy this information and paste in into the API key field in Egnyte.
- Click Save once all of the information has been entered.
- Navigate back to the Provisioning tab of the Egnyte app in Okta and click Configure API integration.
- In another tab, go to this URL to generate an API Key that will be used in the next step.
- Check the box for Enable API Integration, then paste the Egnyte API key (API token generated in the previous step) into the API Token field.
- Click the Test API Credentials button. You should see a success message. Click Save once you receive this message.
- Navigate to the Settings menu, select To App from the left menu, and click Edit.
- Check the Enable box next to Create Users, Update User Attributes, and Deactivate Users. Click Save.
- After SCIM Provisioning has been enabled, go to the Import tab of your Egnyte app instance. Click Import Now.
- After the users and groups from Egnyte are downloaded, select the ones you want created or linked in Okta and then click on Confirm Assignments.
- A pop-up will appear asking if you would like to proceed with the assignment confirmation. Click Confirm.
- You can verify their assignments in the Assignments tab.
Migration Steps for users of Egnyte SCIM 1.0 app in Okta
The Egnyte integration has recently been updated to provide a better overall experience to Okta customers and provide the ability to provision both Users and Groups to Egnyte while using SCIM 2.0 protocol. To take advantage of these updates, you have to add a new instance of Egnyte (Egnyte SCIM 2.0) in your Okta organization. If you already have an existing instance of Egnyte SCIM 1.0, follow the steps below to migrate from that old instance to a newly updated instance of Egnyte. Please note that keeping both instances active at the same time will lead to errors and mismatches as they will both try to manage Egnyte resources simultaneously.
To take advantage of these updates, you have to add a new instance of Egnyte in your Okta organization. If you already have an existing instance of Egnyte, follow the steps below to migrate from that old instance to a newly updated instance of Egnyte:
- In Okta, go to the Applications tab and select Add Application. Type “Egnyte” in the search field and select Egnyte SCIM 2.0 to add new application.
- Configure the application including all provisioning requirements. See the Configuration Instructions section of this guide for more information.
Performing steps 3-5 will import all Users and Groups from Egnyte to Okta. Since Okta implementation does not support Groups fully, it may lead to creation of duplicate or empty Group objects. Please contact Okta support before initiating the Import to have them walk you through the process.
If you do not wish to import data from Egnyte and instead choose to add Users and Groups manually, please skip to step 6.
- After SCIM Provisioning has been enabled, go to the Import tab of your new Egnyte app instance. Click Import Now.
- After the users from Egnyte are downloaded, select the users you want created or linked in Okta and then click on Confirm Assignments.
- A pop-up will appear asking if you would like to proceed with the assignment confirmation. Click Confirm.
- Go back to your Admin Dashboard.
- Open your old Egnyte app instance.
This is the previous Egnyte app you added before adding a new one in step 4.
- Go to the Provisioning tab.
- In the SETTINGS section, click integration.
- Click on Edit and uncheck Enable API Integration. Click Save.
- You can now deactivate or delete your old Egnyte app instance and continue using the new Egnyte app you added.
If you were using SAML 2.0 as the sign-on mode for your old Egnyte app instance, you will need to set up SAML 2.0 on your new Egnyte app instance in Okta. To do so, refer to Instructions section step 3. Remember that Security & Authentication settings in Egnyte will also have to be updated with new Identity Provider metadata.
Egnyte doesn't support email-based usernames. To avoid provisioning issues, go to Sign On, open Settings, click Credential Details and update Application Username Format to either Okta username prefix or Email prefix.
In rare cases, the email or username may contain signs that are not supported by the Egnyte username pattern and need to be changed manually during user assignment in Okta.
Update User Email in Okta
If an email is changed, it may result in the username provisioned in Egnyte to be changed as well. It will result in an error as Egnyte does not currently support username changes with SAML/SSO. The current workaround is to change the username back in Okta Assignments manually.
Create a User - User Type Issues
The user type in Okta is case-sensitive and accepts only the following values.
If a user is not defined in Okta, the user will be created in Egnyte as a Power User. This will affect users with Individual and Group Assignment types.
Create User - Default Values
If Okta user profile does not have the following values specified (or has them set to "Undefined"), the following values will automatically be assigned:
User Type: Users created by Okta in Egnyte will, by default, have their User Type set to power if not specified. Other options available in Egnyte are admin and standard.
Authentication Type: Users created by Okta in Egnyte will, by default, have their Authentication set to SSO. They will also have their IdP Username set to email or Egnyte username, depending on the Default user mapping option selected in Egnyte. This can be found in the Security & Authentication section under Configuration Settings.
If a user is created with Egnyte Authentication and then changed to SSO Authentication, IdP Username will not be set by default and needs to be updated manually in Egnyte.
Sending Invite Email: The default value is True, meaning that each newly created user will receive an invitation email.
Is user a Service Account: The default value is False. When Is user a Service Account is set to True, the parameter Sending Invite Email must be set to False.
When creating a Service Account user, Okta will automatically generate a randomized password. To avoid provisioning issues, it's necessary to set the default password length in Okta to 12 characters, by going to Security > Authentication > Password > Password Settings and updating the Minimum length value. Since the Okta-generated password cannot be seen, you'll need to manually reset the password on the Egnyte side for each Service Account created by SCIM 2.0 Okta integration.
Two-Factor Authentication: Access to this feature on the Egnyte side depends on your selected Billing Plan. It will default to the value specified in the Egnyte domain settings.
Currently, Egnyte groups are being imported as objects that are different from the Okta-based Groups and cannot be edited in Okta.
Invalid Oauth Bearer Token
When an invalid Oauth Bearer Token is submitted in Provisioning - Integration, the following error will be displayed: "Error authenticating: Unauthorized. Errors reported by remote server(...)."
Please contact Egnyte Support if you encounter this error.