Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs-staging-docs-update-privilege-worker-ea-rollout.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Before you start

Create a SAML Connection in your Auth0 tenant and connect it to a corresponding custom SAML application in your Okta Workforce Identity Dashboard.
This section describes how to configure a custom and SCIM app integration in an Okta Workforce Identity tenant, which can be used to provision users to your Auth0 SCIM endpoint.

Configure SCIM settings in Auth0

  1. Launch the Auth0 Dashboard and go to Authentication > Enterprise > SAML > [Connection] > Provisioning.
  2. Disable Sync user profile attributes at each login unless you want to sync additional attributes at login.
  3. In the same section, enable Sync user profiles using SCIM.
  4. Under the Mapping tab, ensure the SCIM attribute containing the User ID setting is set to userName.
  5. Review the Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes, reviewing attribute mapping for details. If you receive phone numbers and physical addresses, note that Okta Workforce sends these as phoneNumbers[primary eq true].value and addresses[primary eq true].* by default.
  6. Map the SCIM userName attribute to the Auth0 email attribute so Okta can find and match existing users if this connection has already been deployed to production using the email address as the login ID and no Auth0 username attribute is set on the existing user profiles. In Additional Mappings find the following attribute pair: 
    {
    "scim": "userName",
    "auth0": "username"
  }
    Replace it with the one below, then remove the mapping to emails[primary eq true].value. 
    {
    "scim": "userName",
    "auth0": "email"
  }
  7. Choose Save Changes.

Retrieve SCIM endpoint URL and token

  1. In the Auth0 dashboard, browse to the SCIM Setup tab and copy the SCIM Endpoint URL, then paste it somewhere safe.
  2. Select Generate New Token and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default scopes used by Okta Workforce are get:users, post:users, and put:users. You may optionally select get:groups, post:groups, put:groups, patch:groups, and delete:groups to provision groups.

Configure SCIM in Okta Workforce for SAML Apps

There are two ways to configure SCIM provisioning in Okta. Choose the method that matches your connection type and group size requirements:
MethodDescriptionConsiderations
SAML applicationUses the existing Provisioning tab for SAML applications in Okta. This method does not support the PATCH for groups, limiting the maximum group members to what can be sent in a single POST or PUT request.Appropriate for pushing users. Does not support pushing groups with more than 10,000 members.
SCIM template applicationUses a SCIM 2.0 template app in Okta that supports the SCIM PATCH method with groups. Required for pushing groups over 10,000 members.Works alongside existing SAML or OIDC SSO integrations. Supports pushing groups with more than 10,000 members.

Okta SAML application

  1. Go to your Okta Workforce Identity SAML application, select the General tab, then choose Edit for App Settings.
  2. In the Provisioning section, select SCIM and then Save.
  3. Under the General tab, also confirm that Federation Broker Mode is disabled.
  4. Select the Provisioning tab, then go to Integration tab and select Edit.
  5. Enter the SCIM Endpoint URL value you copied earlier into the SCIM connector base URL section.
  6. For Unique identifier field for users, enter userName.
  7. Under Supported provisioning actions, select Push New Users, Push Profile Updates, and optionally Push Groups. Choose HTTP Header as the Authentication Mode.
  8. Paste the SCIM token into the Authorization field, then choose Test Connection Configuration if you want to test the new connection. Select Save.
    Inbound SCIM WIC Configuration
  9. Browse to Provisioning > Settings > To App and choose Edit, then enable the Create Users, Update User Attributes, and Deactivate users operations. Select Save.
  10. Under the Attribute Mappings section, use the X button to delete the following lines:
AttributeValue
Primary email type(user.email != null && user.email != '') ? 'work' : ‘'
Primary phone type(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'
Address type(user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'
Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta’s help section.
  1. Use the Assignments tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.
  2. To push groups, select the Push Groups tab, find and select the group to push, then select Save. For more information, read Okta’s App assignments and Group Push documentation.

Okta SCIM template application

  1. In the Okta portal, select Applications > Browse App Catalog, search for (OAuth Bearer Token) Governance with SCIM 2.0, and select Add Integration. Set an Application label, check Do not display application icon to users, uncheck Browser plugin auto-submit, then select Next and Done.
  2. From the integration’s settings page, select the Provisioning tab, then Configure API Integration. Check Enable API Integration. Copy the SCIM Endpoint URL from the Auth0 Dashboard Setup tab and paste it into the SCIM 2.0 Base URL field, removing any trailing forward slash. In the Auth0 Dashboard, select Generate New Token > Generate Token > Copy and Close, then paste the token into the OAuth Bearer Token field in Okta. Optionally select Test API Credentials, then select Save.
  3. Next to Provisioning To App, select Edit. Enable only: Create Users, Update User Attributes, and Deactivate Users. Uncheck Set password when creating new users, then select Save.
  4. Under Attribute Mappings, use the X button to delete these lines, which can cause issues during PUT operations:
    AttributeValue
    Primary email type(user.email != null && user.email != '') ? 'work' : ''
    Primary phone type(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''
    Address type(user.streetAddress != null && user.streetAddress != '') ? 'work' : ''
    Optionally configure additional SCIM attributes to send from Okta to your SCIM endpoint.
  5. Use the Assignments tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.
    The same groups and users must be assigned to both the SSO app instance and the SCIM app instance in Okta.
  6. To push groups, select the Push Groups tab, find and select the group to push, then select Save. This provisions the full group object to Auth0. For more information on the relationship between Group Push and assignments, read Okta’s App assignments and Group Push documentation.