Guides
HomeChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogRequest a Demo

Setting Up SCIM Provisioning with Okta

Suggest Edits

📘

Prerequisite: You have already enabled SCIM provisioning in Monte Carlo and generated an endpoint URL and bearer token

The following guide are instructions for how to synchronize your Monte Carlo users and/or authorization groups with Okta using SCIM provisioning.

Find your Monte Carlo application in Okta

If you have already configured SSO logins to Monte Carlo through Okta, you will use this same application to enable SCIM provisioning. If you have not already created an application in Okta for Monte Carlo, create a new custom app integration.

Enable Provisioning

Under your application’s General settings, check the box for Enable SCIM Provisioning

This will add new tab titled Provisioning that will be used in the following steps.

Configure SCIM Connection

Under the new ‘Provisioning’ tab find the subsection Integration and add the following:

A. REQUIRED: Base URL that was provided during MC SCIM setup. It will have the following format: https://integrations.getmontecarlo.com/scim/v2/<key_id>

B. REQUIRED: unique identifier field for users is email

C. OPTIONAL: choose which syncing options you want enabled

  • Import New Users and Profile Updates: [Not recommended] Okta will pull users from Monte Carlo and create profiles in Okta if the email is not found in Okta.
  • Push New Users: [Recommended] Users assigned to this application will be automatically pushed to Monte Carlo.
  • Push Profile Updates: [Recommended] Changes to user profiles like name or email updates will be automatically pushed to Monte Carlo
  • Push Groups: [Optional] Groups assigned to this application will be automatically pushed to Monte Carlo
  • Import Groups: [Not Recommended] Okta will import groups from Monte Carlo and create them in Okta. These groups cannot be edited in Okta, only in Monte Carlo.

D. REQUIRED: Authentication mode must be HTTP Header

E. REQUIRED: Enter the Integration Token you got during the MC SCIM set up.

Test the Connector Configuration and Save.

Configure User Attribute Mappings

After saving the Integration settings, there will be new options To App and To Okta. To App is where you will configure the attribute mappings to Monte Carlo.

  1. Choose if you want to Create Users, Update Users and/or Deactivate Users in MC. We recommend enabling all three so Okta is your source of truth for users in Monte Carlo.
  2. Sync Password is not supported. If you enable it passwords will attempt to be synced to MC but no change will be made to users in MC.
  3. Attribute Mappings

Monte Carlo supports the following attributes from Okta:

  • Username (required)
    • Username must be mapped to email.
  • Email (required)
  • Primary Email type (required)
    • SCIM requires a 'type' when providing an email field. Monte Carlo expects the email type to be 'work'. This is also the default configuration for Okta.
  • Given name (optional)
  • Family name (optional).

Any other attributes configured will be ignored by Monte Carlo and can be removed.

[Optional] Push Groups to Monte Carlo

If you would like to sync Okta groups to Monte Carlo authorization groups, you can go to the Push Groups tab.

  1. Select Push Groups and Find groups by name
  1. Search for an Okta group to sync
  1. Once found, decide what you want for Match result & push action.
    1. Create Group will create a group in MC with the same name and members list. Note that the group name needs to not already exist in your Monte Carlo account.
    2. Link Group will sync the members of the Okta group to an existing group in Monte Carlo. The name of the group in MC will not change but depending on your Okta settings, the group in Okta might be renamed to match the group name in Monte Carlo.

Assign Users

Under the Assignments tab you can assign this app to individual users or groups. Assigning the app to a user will cause Okta to sync that user to Monte Carlo. “Sync” means Okta will:

  • Check if the user exists in Monte Carlo already based on email
    • If the user already exists in Monte Carlo:
      • Link the Okta and Monte Carlo user together. Any changes to the user in Okta will now be synced with this user in Monte Carlo.
    • If the user does not exist in Monte Carlo:
      • Create the user in Monte Carlo
      • Link the Okta and Monte Carlo user together. Any changes to the user in Okta will now be synced with this user in Monte Calro.

If you assign a Group to the app, this will provision every user in that Okta group to Monte Carlo. NOTE: This is not the same as syncing a group from Okta to Monte Carlo because it does not create an authorization group in MC. To create that authorization group in MC, go to "Push Groups" in the previous step.

Updated about 5 hours ago