Strategy One

Configure SCIM Provisioning with Okta

Starting in Strategy One (September 2025), you can integrate Library SCIM with Okta provisioning.

Prerequisite

Before configuring SCIM in Azure, Library SCIM 2.0 service must be enabled and configured in Workstation. For more information, see Configure the Library Server as SCIM 2.0 Service Provider.

Configure SCIM Provisioning in Okta

Adding SCIM provisioning to an OpenID Connect (OIDC) integration isn't supported in Okta. To configure provisioning, you need to create a separate integration using SAML or SWA.

Configure Automatic User Provisioning to Library

  1. Login to the Okta Admin Portal.

  2. Go to Applications and click your application.

  3. Go to General and App Settings.

  4. Click Edit.

  5. In Provisioning, select SCIM and click Save.

  6. Click Provisioning in the top navigation and click Edit.

  7. In SCIM Connection, add the following details:

    • SCIM connector base URL: Enter the Base URL from your Workstation configuration. It should be similar to the following: <Library Server URL>/api/scim/v2.

    • Unique identifier field for users: Type userName.

    • Supported provisioning actions: Select the following check boxes:

      • Push New Users

      • Push Profile Updates

      • Push Groups

        Do not select Import New Users and Profile Updates and Import Groups. These options will import your users and groups into Okta from Library.

    • Authentication Mode: Select HTTP Header.

    • Authorization > Bearer: Enter the Bearer token from your Workstation configuration.

  8. To check the SCIM connection is valid, click Test Connector Configuration. If a green checkmark displays, the fields are properly filled.

  9. Click Save and To App.

  10. Click Edit and ensure Create Users, Update User Attributes, and Deactivate Users are selected.

  11. Define the map for user provisioning:

    Attribute mappings are used to control what attributes are exchanged during the provisioning process. After creating automatic user provisioning, you need to define the mapping by mapping the attribute to a value.

  12. Click Save.

Configure Group Push Between Okta and Library

  1. Under Push Groups, select the groups to provision to library from the following options:

    • Push groups by name:

      1. Click Push Groups and by name.

      2. Type and select the name of the Okta group you assigned to the application.

      3. Leave Push group memberships immediately selected and the Match result & push action option set to Create Group.

    • Push groups by rule:

      1. Create a rule to match multiple groups at once. Click Push Groups and by rule.

      2. Type a name and any additional optional criteria.

      3. Click Create Rule.

        Okta does not support regular expressions and matching groups are immediately provisioned when the rule is created.

        When the group is pushed to Library, an Active status displays in the Push Status column.

  2. Click Save.

Additional User and Group Information

  • Users that are assigned before SCIM is enabled are not automatically provisioned. If a user is not provisioned, an exclamation mark displays next to their name in the Assignments tab. To provision a user, click Provision User.

  • If you delete a SCIM user in Okta, it will not delete in Strategy Library. You must manually delete users in Library.

  • If you pushed the group you want to delete, click Unlink pushed group and click Delete the group in the target app. The users in the group will not delete in Library.

Configure Custom Attributes

You can customize your Okta configuration by changing default field mappings and adding custom attributes.

Field Mappings

You have the option to change the default field mappings. See the following default field mappings:

Library User Field

SCIM Attribute

Okta Field

Full Name

displayName

displayName

Username (Login)

userName

userName
Email Address

email

 email
Trust Id

userName

 userName

Distinguished Name

distinguishedName

N/A

You need to add a custom user attribute distinguishedName in Okta.

 

Library Group Field

SCIM Attribute

Okta Field

User Group Name

displayName

name

Distinguished Name

distinguishedName

N/A

Okta does not support group push mapping with custom Group attributes.

Update Default Field Mappings

  1. Click Provisioning and To App.

  2. Go to Attribute Mappings.

  3. Click Edit next to an attribute.

  4. Expand the Attribute drop-down list and click the Okta attribute to map to each field.

Create Custom User Attributes in Okta

You can also add custom attributes to provision to custom profile fields in Library.

  1. In the Okta Admin Console, go to the default application mapping.

  2. Click Go to Profile Editor and Add Attribute.

  3. Type values in the following fields:

    • Data type: The type of attribute data.

    • Display name: The display name in Okta.

    • Variable name: The variable name in Okta.

    • External name: The same value as the Variable name field.

    • External namespace: The same value as the SCIM Schema column in Workstation.

    See the following example fields using distinguishedName:

    • Data type: String

    • Display name: Distinguished Name

    • Variable name: distinguishedName

    • External name: distinguishedName

    • External namespace: urn:ietf:params:scim:schemas:extension:Strategy:2.0:User

  4. Click Save.

  5. Go to your application and click Provisioning and To App.

  6. Click Show Unmapped Attributes.

  7. Click Edit next to the attribute you created.

  8. Expand the Attribute value drop-down list and choose Map from Okta Profile.

  9. Choose a profile field from the drop-down list.

  10. In Apply on, select Create and update.

  11. Click Save.

Troubleshooting

  • Okta does not support group push mapping with custom Group attributes.

  • I assigned a group to an Okta application but it does not appear in Library: This action provisions every group member within Library but does not create a group in Library. To create a group in Library, push the group to Library from the Push Groups tab in your Okta application.

  • I pushed an Okta group to Library but the group is empty in Library: Pushing a group using Okta alerts Library to create a new group with the same name as the Okta group. Only users who have already been provisioned as members of that group will be added to the Library group. Ensure that your group in Okta contains the appropriate users and that they are provisioned.

  • I pushed a group to Library but a "type 34 (User) is not found in metadata" error displays: This is likely due to the user no longer existing in Library. You must provision the user again in Okta.

  • I pushed a group to Library but an "Authentication fails" error displays: The bearer token is expire or invalid. You must regenerate the bearer token in Workstation and set it to the Okta SCIM connection.

Related Topics

Add SCIM Provisioning to App Integrations

Assign Applications to Users

Assign an App Integration to a Group

About Profile Push

About Group Push

Enable Group Push