Okta SCIM provisioning with Kantega SSO App
2024.04.22 Notice that the Kantga SSO app refered to in Configure Okta is not yet available. The app will be available as soon as the documentation is approved by Okta.
Prerequisites
To enable SCIM provisioning, you need to first create an SSO integration that supports the SCIM provisioning option. After that integration is available, then you can enable the SCIM option and configure the settings specific to your SCIM application.
To begin the SCIM configuration, select Cloud user provisioning in Kantega SSO/your Atlassian application. Then select Okta under the SCIM header from the Add directory dropdown.
Configuration steps in Okta
Login to Okta as an admin user.
Go to Applications → Applications in the menu and choose Browse App Catalog.
Search for Kantega and then select Kantega SSO.
Then click Add integration
General Settings
Enter an appropriate Application label in General Settings. Click Next.
Click Done In Sign-on Options.
Provisioning
Go to the Provisioning tab and Click the button Configure API Integration.
Integration
Check “Enable API integration”
Copy “SCIM on base URL” from Kantega SSO SCIM wizard and paste it into the SCIM 2.0 Base URL field.
Copy Application secret from Kantega SSO SCIM wizard and paste it into the OAuth Bearer Token field.
Uncheck Import Groups
Click the button Test API Credentials. If the API credentials are correct, then a success message is displayed. Click Save.
To App settings
In the To App settings, enable Create Users, Update User Attributes, and Deactivate Users. Leave Sync Password unselected. You should not need to change the user mapping settings on this screen.
Assignments
Now set up what groups/users should be synchronized.
Press the Assignments tab. Then press Assign and either add people or groups. You may then select the group Everyone to get all people in Okta synced over SCIM to your Atlassian product. Follow the Assign steps and press Save and Go Back, click the Done button in the end.
Push Groups
At this point, any user or group assigned to the SCIM application in Okta will be provisioned to Jira, Confluence or Bitbucket. However, you still need to explicitly specify the groups to provision.
To do this, navigate to the Push Groups tab and click the Push Groups button. Either add groups by name or create a rule.
SCIM should now be configured and working and both assigned users and also the specified groups should be pushed by SCIM to Kantega SSO.
SP-initiated SSO
Users can sign in with Okta from Kantega SSO through an Identity Provider created in Kantega SSO. See our Setup guide for creating Identity Providers in Kantega SSO Okta | SAML
Supported features
The following provisioning features are supported by Kantega SSO:
Create users: Users in Okta that are assigned to Kantega SSO within Okta are automatically added as users in the Kantega SSO application.
Update User Attributes: When user attributes are updated in Okta, they will be updated in Kantega SSO.
Deactivate Users: When users are deactivated in Okta, they will be deativated in Kantega SSO.
Push Groups: Groups and their users in Okta can be pushed to Kantega SSO.
Note that Okta group pushes into Kantega groups will not overwrite or remove non Okta provisioned users from the Kantega group.
Okta group pushes will be unable to "link" to existing Kantega groups, as JIRA does not allow the group name to be overwritten or changed.
Supported attributes
Display name | Variable name | Attribute Type | Data type |
|---|---|---|---|
Username | userName | Group | string |
Given name | givenName | Personal | string |
Family name | familyName | Personal | string |
Middle name | middleName | Personal | string |
Personal | string | ||
email type | emailType | Personal | string |
Display name | displayName | Personal | string |
User type | userType | Group | string |
Troubleshoot
N/A