1

User Provisioning from Okta to IDCS

Table of Contents

Overview .......................................................................................................................................... 2

Prerequisite ..................................................................................................................................... 2

Supported Features ......................................................................................................................... 2

Proposed Architecture .................................................................................................................... 3

IDCS Configuration ....................................................................................................................... 4

Okta Configuration ......................................................................................................................... 7

Troubleshooting ............................................................................................................................ 11

2

Overview If you are using Okta as a source of truth for user data, you may leverage SCIM (System for Cross-Domain Identity Management) interface of IDCS (Identity Cloud Service) to provision and de-provision users from Okta by using IDCS/Okta integration available in Okta Marketplace.

Prerequisite There are a couple of things you need to know/do before you can provision external users to IDCS:

1. You need an Okta account with admin privileges. Okta might require an additional subscription for SCIM provisioning. Contact your Okta representative to ensure your organization has the appropriate subscription.

Supported Features

• New user creation A new user created in Okta, creates in IDCS.

• User profile updates User profile updates in Okta are synched to IDCS.

• User deactivation Deactivating a user in Okta or revoking user access to the application disables the user in IDCS.

• User activation Activation of a user in Okta or assigning an application to the user in Okta enables the user in IDCS.

• Creation of a group A new group created in Okta creates the group in IDCS.

• Adding a user to a group Assigning a user to a group assigns the user to the same group in IDCS as well.

• Delete a group The deletion of a group in Okta, deletes the group in IDCS.

3

Proposed Architecture Both Okta and IDCS support SCIM 2.0. Using that, Okta can provision users to IDCS.

Oracle Cloud Infrastructure

Okta Instance

IDCS

SCIM 2.0

4

IDCS Configuration First, create OAuth client in IDCS. Okta uses that OAuth client to invoke IDCS SCIM APIs.

1. Login to IDCS using an Identity Domain administrator or an Application administrator user account.

2. Open the Applications tab and click on the Add button to create a new OAuth client. 3. Choose an option to create a Confidential application.

5

4. Type some name of the application ex: OktaSCIMClient and click on the Next button. 5. On the next screen, select “Configure this application as a client now” option. 6. From the list of available grant types, select the “Client Credentials” grant type. 7. Click on the Add button below, “Grant the client access to Identity Cloud Service Admin

APIs.” Select the User Administrator App Role and click Add button.

6

8. Now click Next. 9. On the Resources tab, do not update anything and click Next. 10. On the Authorization tab, do not update anything and click Finish. 11. A message pops up saying application Added with client credentials. Please note Client

ID and Client Secret. We use them while creating an application in Okta.

12. Click on the Activate button to activate the application.

7

Okta Configuration Follow steps as documented below for Okta configuration.

1. Login to Okta admin console as an Admin user. 2. From the Applications menu, add the "Oracle Identity Cloud Service" app.

8

3. Add details of IDCS instance as shown in the screen shot below and then click Done.

9

4. Now go to provisioning tab and click on “Enable Provisioning” checkbox. 5. Enter SCIM base URL. Sample URLs are below

Base URL: https://$IDCS_SUBDOMAIN.identity.oraclecloud.com/admin/v1

6. Generate Base64 encoding of IDCS application client ID and client secret. Concatenate the client ID and client secret like ClientID:ClientSecret. The values of client ID and client secret are the values that you generated in IDCS Configuration section. Then generate Base64 encoding of ClientID:ClientSecret. You can use your preferred tool to generate Base64 encoding. If you don’t have one, then you can use below command. echo -n 'ClientID:ClientSecret' | openssl base64

7. API Token value is: Base64encoded(ClientID:ClientSecret) API Token = Base64encoded(ClientID:ClientSecret)

10

8. Click on Test API Credentials and make sure that Okta can connect to SCIM endpoint. 9. Save the new application. 10. Now based on your requirements, enable provisioning operations from Okta to IDCS as

shown in the screen shot below.

11. If you need to update Okta to IDCS attribute mapping or if you have to add/map new attributes between Okta to IDCS then you can update that from the same configuration menu.

11

Troubleshooting If you have any questions or difficulties with IDCS/Okta integration, please contact Oracle and/or Okta support.