Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-staging-docs-update-privilege-worker-ea-rollout.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Before you start

Enable Okta Workforce Identity as an identity provider by following the instructions on the Identity Providers help page.This integration will require two applications to be registered in Okta Workforce: the OpenID Connect integration and the SCIM integration. The same users and groups must be assigned to both. To eliminate this requirement and streamline the setup process for your customers, submit your app to the Okta Integration Network.
This section describes how to configure a custom Connect and SCIM app integration in an Okta Workforce Identity tenant, which can be used to provision users to your Auth0 SCIM endpoint. For information on configuring a and SCIM integration with Okta Workforce Identity, read Inbound SCIM for Okta Workforce SAML Connections instead.

Configure SCIM settings in Auth0

  1. Launch the Auth0 Dashboard and go to the Authentication > Enterprise > Okta Workforce > [your-connection] > Provisioning.
  2. Disable Sync user profile attributes at each login unless you want to sync additional attributes at login.
  3. In the same section, enable Sync user profiles using SCIM.
  4. On the Mapping tab, ensure the SCIM attribute containing the User ID is set to externalId.
You can also check Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes.

Retrieve SCIM endpoint URL and token

  1. In the Auth0 dashboard, browse to the SCIM Setup tab and copy the SCIM Endpoint URL, then paste it somewhere safe.
  2. Select Generate New Token and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default requires scopes used by Okta Workforce are get:users, post:users, and put:users. You may optionally select get:groups, post:groups, put:groups, patch:groups, and delete:groups to provision groups.

Configure SCIM in Okta Workforce for OIDC Apps

  1. Confirm that an OpenID Connect application has already been registered in the Okta Workforce tenant for OIDC-based user authentication.
  2. Confirm that your OpenID Connect application has disabled Federation Broker Mode.
  3. Register a second application in the Okta portal by selecting Applications > Browse App Catalog, search for (OAuth Bearer Token) Governance with SCIM 2.0, and select Add Integration. Set an Application label, check Do not display application icon to users, uncheck Browser plugin auto-submit, then select Next and Done.
  4. From the integration’s settings page, select the Provisioning tab, then Configure API Integration. Check Enable API Integration. Copy the SCIM Endpoint URL from the Auth0 Dashboard Setup tab and paste it into the SCIM 2.0 Base URL field, removing any trailing forward slash. In the Auth0 Dashboard, select Generate New Token > Generate Token > Copy and Close, then paste the token into the OAuth Bearer Token field in Okta. Optionally select Test API Credentials, then select Save.
  5. Next to Provisioning To App, select Edit. Enable only: Create Users, Update User Attributes, and Deactivate Users. Uncheck Set password when creating new users, then select Save.
  6. Under Attribute Mappings, use the X button to delete these lines, which can cause issues during PUT operations:
    AttributeValue
    Primary email type(user.email != null && user.email != '') ? 'work' : ''
    Primary phone type(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''
    Address type(user.streetAddress != null && user.streetAddress != '') ? 'work' : ''
    Optionally configure additional SCIM attributes to send from Okta to your SCIM endpoint.
  7. Use the Assignments tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.
    The same groups and users must be assigned to both the SSO app instance and the SCIM app instance in Okta.
  8. To push groups, select the Push Groups tab, find and select the group to push, then select Save. This provisions the full group object to Auth0. For more information on the relationship between Group Push and assignments, read Okta’s App assignments and Group Push documentation.