Auto-provisioning Omni users with Okta SCIM
When SCIM (System for Cross-domain Identity Management) is enabled, you can automatically provision Omni accounts for your users and synchronize Omni user groups with groups in Okta.
Limitations
Omni does not currently support the following Okta provisioning features:
- Sync password
- Enhanced group push
Omni users created via SCIM will have Organization Member permissions. Organization Admins must be created in Settings > Users or have their permissions manually upgraded.
Requirements
To follow the steps in this guide, you'll need:
- To have Okta SAML authentication set up. If you don't, refer to the Okta SAML authentication setup guide before proceeding.
- Omni Organization Admin permissions
- Permissions in Okta that allow you to:
- Access the Admin console
- Modify Okta applications
1. Create an Omni API key
Reach out to Omni support to have API keys enabled for your organization.
- Follow these steps to create a new API key named Okta SCIM.
- Copy the key somewhere handy - you'll need it to complete the setup.
2. Configure the Omni Okta application
This guide assumes that you have an existing Omni application in Okta. If you don't, make sure you've finished setting up Okta SAML authentication before continuing.
-
Log in to the Okta Admin console.
-
Navigate to the Omni application.
-
Click the Provisioning tab.
-
In the Integration tab, click the Configure API Integration button.
-
Check the Enable API Integration box.
-
In the API Token field, paste your Omni API key:
-
Click Test credentials to verify the setup.
3. Set up provisioning & user attribute updates
If the API credential test is successful, additional options will display in the application's Provisioning tab.
-
In the Provisioning tab, click the To app option. Then:
-
Click the Edit link to the right of the Provisioning to app heading.
-
Check the Enable boxes for Create users, Deactiviate users, and Update user attributes.
-
Click Save.
-
-
Navigate to the Sign on tab. Then:
-
Locate the Credentials details section.
-
Set the Application username format to Email. To change this setting, click the Edit link near the top of the tab:
-
Click Save when finished.
-
After provisioning is set up, users that have the Omni application assigned to them in Okta will be provisioned in Omni. This process may take a few minutes to complete.
4. Enable user group provisioning
This step enables Okta's Push groups functionality, which allows you to push your Okta user groups to Omni.
-
In the Omni application, navigate to the Push Groups tab.
-
Click the Push Groups button, then select Find groups by name:
-
Use the search field to find and select an Okta group to push to Omni.
-
Click Save.
Once pushed, Omni will begin provisioning the user group. This process may take a few minutes to complete.
Pushing an Okta group to Omni will not automatically provision accounts for users who are group members. You'll need to use the Assignments tab to assign the group to the users. Refer to the Okta SAML setup guide for more information.
What's next?
After you finish setting up SCIM, you can go a step further and sync your custom user attributes from Okta to Omni.
Refer to the Syncing Okta user attributes guide for more information.