Okta SCIM Configuration Guide

Learn how to set up Okta SCIM to create users and groups, import users and groups, update certain user attributes, and even deactivate users through the Okta application. We'll also provide some troubleshooting tips in case you run into any issues.

Skip Ahead to...

Requirements

Actions

Instructions

Troubleshooting

Requirements

Before you can start provisioning users and groups, please complete the following actions:

  1. An Egnyte Admin account is needed to perform all of the provisioning actions from Okta. The account must be first configured with an API Key, which can be registered on the Egnyte for Developers page.

Actions

With the new Okta SCIM provisioning, you can complete the following actions:

  • Create Users: Users assigned to the Okta Egnyte application will be automatically created and registered in the associated Egnyte domain. Provisioned users will be able to log into their Egnyte account through the Okta SSO or by clicking their Egnyte application from their Okta home page.
  • Create Groups: Groups and their members can be assigned and pushed from Okta to Egnyte. Groups can also be linked to an existing Group in Egnyte. For the membership to be assigned, Users who are members of the respective Groups need to be first assigned to the Okta Egnyte app.
  • Update User Attributes: Updates made to the user’s Okta profile will also update the associated attributes in the user’s Egnyte profile according to attribute mapping set for application. See the Instructions section of this article for more details.
  • Deactivate Users: Deactivating the user or disabling the user’s access to the Egnyte application through Okta will result in deactivating the user’s account on the associated Egnyte domain. The user will not be deleted in Egnyte and can be reactivated manually if required.
  • Import Users: Importing users through Okta will list all of the users from the associated Egnyte domain and allow them to be linked to existing Okta users or to create new Okta users. Users associated with the Egnyte application in Okta will be able to login as previously described. User attributes will be assigned according to the attribute mapping set for application. Check out the Instructions section of this article for more information.
  • Import Groups: Importing users through Okta will also import their associated Groups. Such groups can be assigned to Egnyte application and will contain the same users (as long as they are assigned to Okta as well).

Instructions

Before you continue with the steps below, please ensure you've completed the requirements and are logged in as an Admin user in Okta. 

  1. In Okta, go to the Applications tab and select Add Application. Type “Egnyte” in the search field and select Egnyte SCIM 2.0.

    Screen_Shot_2019-06-07_at_11.20.42_AM.png
  2. Make sure the Subdomain setting under General Settings is configured to your Egnyte domain name and click Next.

    Screen_Shot_2019-06-07_at_12.12.22_PM.png

  3. In Sign-On Options select SAML 2.0 and download the Identity Provider metadata as .xml file for easier configuration with Egnyte. It's advised to set the Application username format to Email prefix. Click Done.
  4. Go to the Provisioning tab and click API integration from the left menu.
  5. Check the box for Enable API Integration, then paste the Egnyte API key into the API Token field.

    Screen_Shot_2019-06-07_at_12.25.52_PM.png

  6. Click the Test API Credentials button. You should see a success message. Click Save once you receive this message.

    Screen_Shot_2019-06-07_at_12.27.10_PM.png

  7. Navigate to the Settings menu, select To App from the left menu, and click Edit.
  8. Check the Enable box next to Create Users, Updated User Attributes, and Deactivate Users. Click Save.

    Screen_Shot_2019-06-07_at_12.54.01_PM.png

Troubleshooting

Egnyte Username

Egnyte doesn't support email-based usernames. To avoid provisioning issues, go to Sign On, open Settings, click Credential Details and update Application Username Format to either Okta username prefix or Email prefix.

In rare cases, the email or username may contain signs that are not supported by the Egnyte username pattern and need to be changed manually during user assignment in Okta.

Update User Email in Okta

If an email is changed, it may result in the username provisioned in Egnyte to be changed as well. It will result in an error as Egnyte does not currently support username changes with SAML/SSO. The current workaround is to manually change the username back in Okta Assignments.

Create a User - User Type Issues

The user type in Okta is case-sensitive and accepts only the following values.

  • admin
  • power
  • standard

If a user is not defined in Okta, the user will be created in Egnyte as a Power User. This will affect users with Individual and Group Assignment types.

Create User - Default Values

Users created by Okta in Egnyte will, by default, have their Authentication set to SSO. They will also have their IdP Username set to email or Egnyte username, depending on the Default user mapping option selected in Egnyte. This can be found in the Security & Authentication section under Configuration Settings.

Import Groups

Currently, Egnyte groups are being imported as objects that are different from the Okta-based Groups and cannot be edited in Okta.

Empty Groups

Manual push of an empty group from Okta to Egnyte is not supported as this time.

Egnyte Community

Egnyte Community

Want to connect with other Egnyte users and our Egnyte team? Share ideas and ask questions in our Community .