Inbound SCIM for Okta Workforce SAML Connections

This section describes how to configure a custom SAML and SCIM app integration in an Okta Workforce Identity Cloud tenant, which can be used to provision users to your Auth0 SCIM endpoint.

1. Launch the Auth0 Dashboard and go to Authentication > Enterprise > SAML > [Connection] > Provisioning.

2. Disable Sync user profile attributes at each login unless you want to sync additional attributes at login.

3. In the same section, enable Sync user profiles using SCIM.

4. Under the Mapping tab, ensure the SCIM attribute containing the User ID setting is set to userName.

5. Review the Additional Mappings to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes, reviewing attribute mapping for details. If you receive phone numbers and physical addresses, note that Okta Workforce sends these as phoneNumbers[primary eq true].value and addresses[primary eq true].* by default.

6. Map the SCIM userName attribute to the Auth0 email attribute so Okta can find and match existing users if this connection has already been deployed to production using the email address as the login ID and no Auth0 username attribute is set on the existing user profiles. In Additional Mappings find the following attribute pair:

   {
       "scim": "userName",
       "auth0": "username"
     }

   Was this helpful?

   Yes /No
   Replace it with the one below, then remove the mapping to emails[primary eq true].value.

   {
       "scim": "userName",
       "auth0": "email"
     }

   Was this helpful?

   Yes /No

7. Choose Save Changes.

1. In the Auth0 dashboard, browse to the SCIM Setup tab and copy the SCIM Endpoint URL, then paste it somewhere safe.

2. Select Generate New Token and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default scopes used by Okta Workforce are get:users, post:users, and put:users.

1. Go to your Okta Workforce Identity Cloud SAML application, select the General tab, then choose Edit for App Settings.

2. In the Provisioning section, select SCIM and then Save.

3. Under the General tab, also confirm that Federation Broker Mode is disabled.

4. Select the Provisioning tab, then go to Integration tab and select Edit.

5. Enter the SCIM Endpoint URL value you copied earlier into the SCIM connector base URL section.

6. For Unique identifier field for users, enter userName.

7. Under Supported provisioning actions, select Push New Users and Push Profile Updates, then choose HTTP Header as the Authentication Mode.

8. Paste the SCIM token into the Authorization field, then choose Test Connection Configuration if you want to test the new connection. Select Save.

   

9. Browse to Provisioning > Settings > To App and choose Edit, then enable the Create Users, Update User Attributes, and Deactivate users operations. Select Save.

   

8. Under the Attribute Mappings section, use the X button to delete the following lines:

Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta's help section.

You can now test user provisioning in the Assignments tab and test update operations by editing the user attributes in the Directory > People section of your Okta admin portal.