Okta’s System for Cross-domain Identity Management (SCIM) provisioning can automatically onboard new users and groups into Bluescape. This topic explains how to set up a SCIM integration at Okta.
- Create users
- Update user attributes
- Deactivate users
- Group push
Okta groups are mapped to corresponding groups in Bluescape. These Bluescape groups are associated with Bluescape teams, where:
- Members added to the Okta group are automatically added to the associated Bluescape team (if not members already).
- Users deactivated in Okta (such as when leaving the company) are removed from the associated Bluescape team.
- Okta user attribute changes (email, first, and last name) are synchronized with Bluescape.
- You must set up SSO in your Bluescape team(s). This is covered in the Configuration Steps below.
You must create a new SAML application separate from your current one. This section covers the steps to set up Bluescape SCIM in Okta and Bluescape.
Create a new Bluescape SCIM integration.
As an Admin in Okta, go to the Applications page. Press the Create App Integration button and name the application Bluescape SCIM or similar. Follow our guide to creating a new SAML application for Bluescape: Single Sign-On for Okta . When creating the new SAML app, we recommend that you mirror the settings that are currently being used in your live app so that there are no discrepancies.
Note: We recommend not using an existing Okta application but instead creating a new one because all of the users in the existing app would need to be re-assigned. Please make sure your security policies in your new Okta application are correct, for example, policies regarding federated users, MFA, etc.
In the new App’s General settings, enable the SCIM provisioning.
Note: Based on your version of Okta, this view might look different. Select SCIM if the text does not match the screenshot above.
Before configuring Okta’s “Provisioning: Integration” page, we’ll need to perform the SCIM integration configuration steps in Bluescape.
- Set up your SCIM Integration in Bluescape.
a. Enable the Use SCIM integration toggle.
Any Admin can enable the SCIM integration toggle below, but to actually create the SCIM integration in step b, the user must be the Owner or a ScimManager of the Team.
b. Go to the SCIM tab and select the Add SCIM Integration and provide a name for your integration.
This team acts as the “management” team for the SCIM integration, where you can later identify other associated Teams in Bluescape that can use this integration and associated Okta Groups. Information on how to add associated teams can be found in Step 9c.
c. The next screen provides access to Bluescape’s SCIM URL – used by Okta to provision and synchronize the Bluescape users – as well as a secret token – to be passed by Okta with each SCIM request to the SCIM URL. The URL and secret token copies to Okta are in Step 5 below.
Note: The secret token can be copied only when generated, for example, when creating the initial integration or when rotating the secret token after a specific period. Bluescape recommends rotating the secret token after one year.
It is no longer copyable after pasting the secret token into Okta’s SCIM configuration. It needs to be re-generated at Bluescape and copied again to Okta. Once you finish Step 5, the secret is no longer required and should be permanently deleted from your device for security purposes.
If you are looking to delete a SCIM Provider/App that is set up with Bluescape, please reach out to Bluescape Support.
Sign On settings
In the Credentials Details section, make sure that the Application username format is set to Email.
Provisioning “Integration” settings.
a. At the top of the screen, paste the SCIM URL you saved in Step 3.
b. Enter userName for the Unique identifier field for users and select Push New Users, Push Groups, and optionally, Push Profile Updates.
c. Set the Authentication Mode to HTTP Header and then paste the secret token from Step 3 into the Authorization/Bearer field at the bottom of the page.
d. Select Test Connector Configuration. This invokes the SCIM server running at Bluescape that works with OKTA’s SCIM client to keep Okta’s users and groups synchronized with Bluescape. If the test fails, check the URL and secret token and try again.
Provisioning: “To App” settings.
a. Enable the settings as shown here. Make sure to enable Create Users.
Note: Bluescape does not support syncing the password.
b. Set the attribute mappings accordingly, removing any attributes not shown here.
a. Use Assign to Groups to associate the Bluescape SCIM app with Okta groups. You can push one or more of these groups to Bluescape in Step 8.
Note: Only users in groups are automatically provisioned in Bluescape teams, so there is no need to use Assign to People.
“Push Groups” to Bluescape.
We recommend not using the Find groups by rule because the time it takes to synchronize the groups to Bluescape can vary widely.
a. First, select the Okta groups from Step 7 that you want to synchronize with Bluescape. These groups and their users stay synchronized with Bluescape. Once they are pushed, in Step 9, you go back to Bluescape to assign the groups to one or more of the integration’s Bluescape teams.
The next screen is:
b. After selecting the groups to synchronize with Bluescape, you can use the button under Push Status to Activate the group synchronization or remove it from the list. Activation does not push the group to Bluescape; it just means that the group synchronizes after the initial push below.
- Associate group(s) with your team.
a. Add selected groups to your Bluescape team. The team can be either a Management or an Associated team, as explained in Step 3 above.
After a group is associated with the team above, the group’s users are automatically added to the team, as shown here.
b. Finally, you can switch back to Okta and add/remove users in Okta groups, change user profile information, and observe the changes in Bluescape.
c. To add any additional teams to the SCIM configuration in Bluescape, please reach out to Bluescape Support with the Teams you would like to add, and the following two URLs:
- ldP metadata URL from Step 2.
- SCIM URL generated from Step 3d.
During synchronization, when errors occur in Bluescape, the bssrid (Bluescape SCIM Request ID) is returned to Okta and appears in the Okta logs. For security reasons, we do not return sensitive logging information in the response to Okta. You can send the bssrid to Bluescape support so we can obtain diagnostic information from the Bluescape logs.
Note that Bluescape supports updating only three Okta attributes: userName, givenName, and familyName. Other attributes are not saved to Bluescape.
If you have questions or difficulties with your Okta to Bluescape SCIM integration, select Reply below this topic and outline the issue to engage Bluescape Support. Please include the bssrid.