Provisioning with Kantega SSO Okta SCIM 2.0

Owned by Mari Fuglem
Last updated: Apr 24, 2024
5 min read

Prerequisites

To enable SCIM provisioning, you need to first create an SSO integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM application.

To begin the SCIM configuration, select Cloud user provisioning in Kantega SSO/your Atlassian application. Then select Okta under the SCIM header from the Add directory dropdown.

Cloud user provisioning in Kantega SSO

 

Step 1 Network preparation

To provision users and groups with SCIM, your identity provider must be able to reach SCIM endpoints in your Atlassian application (ie Jira). You will need to provide a https URL with a valid certificate.

image-20240424-131411.png

 

Step 2 Tenant configuration

SCIM users will be stored in a separate user directory in JIRA. Each directory has a unique tenant ID and URL used by the provider to push updates.

Enter a descriptive name for the SCIM directory and tenant configuration. Appears in the application directory list as "SCIM: <name>".

Make a note of the Application secret for later use in Configuring Okta. Use the suggested value or create your

Click Next.

 

Step 3 Configure SCIM in Okta

You will use these values when configuring Okta

Replace the relevant parts of the value API server with the external proxy address, ie

Make a note of the application secret. While it can be changed later, you will not be able to see the value again, once you save.

Click Finish and switch to Configuration steps in Okta.

 

Configuration steps in Okta

  1. Login to the Okta admin portal

    • In the left menu, click Applications and then click submenu Applications.

       

  2. Add integration

    • On the application page, click Browse App Catalog and search for Kantega.

       

    • Select Kantega SSO, then click Add integration button

    • Enter an appropriate Application label in General Settings and click Next.

       

    • Click Done in Sign-on Options. You don’t need to configure Sign-on options in this case.

If you want to configure user provisioning with OIDC or SAML in the same app or another app, the Sign-on Options will be relevant. In this case tollow the setup guides for user provisioning with Okta

  1. Enable provisioning

    • Go to the Provisioning tab and Click Configure API Integration.

  2. Enable API integration

    • Check Enable API integration

    • Build the correct SCIM 2.0 Base Url to insert in API Integration page (see below). Use parts of the URL you see in Kantega SSO setup. This might look like for example:
      https://confluence-test.example.com/plugins/servlet/ksso/scim/ra8njxzor7o2/v2 while when this URL is exposed on the internet through your firewall it may look for example like this:
      https://scimtest.example.com/confluence-test/scim/ra8njxzor7o2/v2.
      See more about network setup for SCIM here.

    • Paste the Application secret you copied erlier in Kantega SSO SCIM wizard into Oauth Bearer Token

    • Uncheck Import Groups

    • Click the button Test API integration. If the entered API credentials are correct a success message is displayed, then click Save.

       

  3. Configure To App settings

    • In the To App settings, enable Create Users, Update User Attributes, and Deactivate Users. Leave Sync Password unselected. You should not need to change the user mapping settings on this screen.

  4. Configure Assignments

    • Now set up what groups/users should be synchronized.
      Press the Assignments tab. Then press Assign and either add people or groups. You may then select the group Everyone to get all people in Okta synced over SCIM to your Atlassian product. Follow the Assign steps and press Save and Go Back, click the Done button in the end.

     

  5. Configure Push Groups

    • At this point, any user or group assigned to the SCIM application in Okta will be provisioned to the Atlassian app (Jira, Confluence or Bitbucket). However, you still need to explicitly specify the groups to provision.

    • To do this, navigate to the Push Groups tab and click the Push Groups button. Either add groups by name or create a rule.

    • SCIM should now be configured and working and both assigned users and also the specified groups should be pushed by SCIM to Kantega SSO.



Supported features

The following provisioning features are supported by Kantega SSO:

Create users: Users in Okta that are assigned to Kantega SSO within Okta are automatically added as users in the Kantega SSO application.

Update User Attributes: When user attributes are updated in Okta, they will be updated in Kantega SSO.

Deactivate Users: When users are deactivated in Okta, they will be deativated in Kantega SSO.

Push Groups: Groups and their users in Okta can be pushed to Kantega SSO.

Note that Okta group pushes into Kantega groups will not overwrite or remove non Okta provisioned users from the Kantega group.

Okta group pushes will be unable to "link" to existing Kantega groups, as JIRA does not allow the group name to be overwritten or changed.

Supported attributes

Display name

Variable name

Attribute Type

Data type

Display name

Variable name

Attribute Type

Data type

Display name

Variable name

Attribute Type

Data type

Display name

Variable name

Attribute Type

Data type

Username

userName

Group

string

Given name

givenName

Personal

string

Family name

familyName

Personal

string

Middle name

middleName

Personal

string

Email

email

Personal

string

email type

emailType

Personal

string

Display name

displayName

Personal

string

User type

userType

Group

string