Configure Okta Real-time User and Password Import

Help Center Home > SCIM > Configure Okta Real-time User and Password Import

Configure Okta Real-time User and Password Import

Streamline lifecycle management for your organization by connecting Okta with 黑料海角91入口 through a Real-time User and Password Import SCIM integration. This integration lets you manage your organization鈥檚 user identities in Okta, and easily connect users to all of the IT resources they need through 黑料海角91入口. After you connect Okta with 黑料海角91入口 through SCIM, depending on the integration settings you choose, users are seamlessly created, updated, and deactivated in 黑料海角91入口 according to the actions you take on users in Okta.

Supported Features

The following SCIM actions are supported for Okta鈥檚 User Import and Password Mastery integration with 黑料海角91入口.

User import: Users accounts are imported from Okta into 黑料海角91入口
Password sync: User account passwords are synchronized between Okta and 黑料海角91入口; changes made to passwords in Okta are synced with 黑料海角91入口
Create: When you create users in Okta they鈥檙e created in 黑料海角91入口
Update: When you update user attributes in Okta, these updates are reflected in 黑料海角91入口

Note:

Read the Considerations for more detail on this feature.

Deactivate:听When you deactivate or delete a user in Okta, the user is placed in a suspended state in 黑料海角91入口

Prerequisites

You need听User Provisioning听functionality enabled for your Okta account.听Learn about听
You need a 黑料海角91入口 API Key (see instructions below)

Recommendations

To prevent end-user access issues, we recommend that you use the same password complexity requirements as Okta, see听Manage Password and Security Settings
- Consider choosing听not to expire 黑料海角91入口 account passwords. If you choose to enforce password aging for your 黑料海角91入口 account passwords, be mindful of the expiration dates for users you鈥檙e managing for Okta. See听Manage Password and Security Settings to learn more about password aging
- We also recommend that you create a 黑料海角91入口 admin service account to generate the API Key you need to connect 黑料海角91入口 with Okta. This service account shouldn鈥檛 be tied to a specific user鈥檚 email address. For added security,听you can听require Multi-factor Authentication at听login for this admin service account. See听Manage Admin Accounts to learn more

Considerations

鈥嬧€嬧€嬧€嬧€婭f you update a user name in Okta for a user that is bound to resources, it won't听update that user's username in 黑料海角91入口. However, if that user isn't bound to any resources in 黑料海角91入口, then it will change the user's username.鈥�
When a user is associated with the 黑料海角91入口 application in their Okta account, a couple of things happen:
- Their password is sent to 黑料海角91入口 when it is changed in Okta
- Once听they've been associated with 黑料海角91入口, they log in to their Okta account for the first time after the association, and the passwords will be听synced
If you are trying to have an existing user's account managed by 黑料海角91入口, the usernames must meet specific requirements:
- Important: The user can't be bound to any resources at the time of account takeover.
- The username in Okta is an email, however in 黑料海角91入口 the username is not an email.
  - To have 黑料海角91入口 manage a user's account, the email used in Okta prefix (everything before the @ symbol) needs to match the username in 黑料海角91入口
    - For example, if the email is [email protected], then the username in 黑料海角91入口 needs to be john.doe.
If you are trying to have a new user's account managed by 黑料海角91入口, the username has specifications that will result in a failure if not met. The requirements are:
- The username needs to start with a letter
- It needs to be 30 characters or less
  - These can only include valid unix characters (letters, numbers, hyphens ' - ,' periods ' . ,' and underscores ' _ .')
If a password is changed directly from the user console it clears the credential manager on a Windows device. This is also the case when a user is externally managed and password updates come from a 3rd party, like Okta

Known Issues:

After you import users from Okta, users and their attributes are synced between 黑料海角91入口 and Okta. The users that you import from Okta are fully editable in 黑料海角91入口 in both the Admin and User Portals. This means that users can change their password and user attributes in the 黑料海角91入口 User Portal. If a user updates their password in the User Portal, it can be overwritten by Okta, potentially placing the user in a bad state. We recommend that you disable the ability for users to update their user attributes in the 黑料海角91入口 User Portal. You can do this in the Admin Portal鈥檚听General Information Org Settings. If you disable your end users鈥� ability to modify their user attributes in the User Portal, admins are still able to modify end-user attributes in the 黑料海角91入口 Admin Portal. Learn more about this feature in听Settings in the 黑料海角91入口 Admin Portal听
If you manage end-users devices with 黑料海角91入口 and integrate Okta with 黑料海角91入口, passwords can become out of sync between Okta and 黑料海角91入口 if a user changes their password through their device. You can leverage Okta integration with 黑料海角91入口 managed devices by keeping the following in mind:
- macOS:听黑料海角91入口's Menu Bar App prompts users to confirm their password if they become out of sync when they're provisioned to 黑料海角91入口 from Okta听
- To see more detailed information see听Managing Password Resets with Okta and 黑料海角91入口 Managed Devices听below

Attribute Mappings:

The following table lists attributes that 黑料海角91入口 can receive from Okta.

Learn about 黑料海角91入口 Properties and how they work with systemusers in our .

Okta Attribute Name	黑料海角91入口 Attribute Name	Notes
login	userName	For this attribute to map correctly, this attribute has been updated to `String.substringBefore(user.login, "@")`
user.firstName	givenName
user.lastName	familyName
user.middleName	middleName
user.email	email
user.emailType	emailType	For this attribute to map correctly, this attribute has been updated to `(user.email != null && user.email != ' ') ? 'work' : ' '`
user.Title	title
user.displayName	displayName
user.displayName	primaryPhone
user.primaryPhoneType	primaryPhoneType	For this attribute to map correctly, this attribute has been updated to `(user.primaryPhone != null && user.primaryPhone != ' ') ? 'work' : ' '`
user.addressType	addressType	For this attribute to map correctly, this attribute has been updated to `(user.streetAddress != null && user.streetAddress != '') \|\| (user.city != null && user.city != '') \|\| (user.state != null && user.state != '') \|\| (user.zipCode != null && user.zipCode != '') \|\| (user.countryCode != null && user.countryCode != '') \|\| (user.postalAddress != null && user.postalAddress != '') ? 'work' : ''`
user.streetAddress	streetAddress
user.city	locality
user.state	region
user.zipCode	postalCode

Getting Your API Key in 黑料海角91入口

You need a 黑料海角91入口 API Key to connect Okta and 黑料海角91入口. This key is found in the 黑料海角91入口 Admin Portal.

Note:

The API key from MTP admins will not work with the 黑料海角91入口 integration app in Okta. Only the tenant specified admin's key will work in this integration.

To generate an API Key:

Log in to the .
Click your account initials displayed in the top-right and select My API Key from the drop down menu.
If you haven't generated an API key before, click Generate API Key to have an API key generated and displayed. If you have an API key but don't have it stored, click Generate New API Key.

Important:

API Keys are only displayed at the time they鈥檙e created. Make sure to store it in a secure place, like 黑料海角91入口鈥檚 Password Manager so you can access it when you need it.

If you're generating a new API key, it will revoke access to the current API key. This will render all calls using the previous API key inaccessible. You will have to update any existing integrations that use an API key with the newly generated value. See 黑料海角91入口 APIs to see the impacted integrations.

Paste the key into Okta鈥檚 API integration settings.

Enabling and Configuring SCIM Integration in Okta

To enable and configure SCIM integration in Okta:

Log in to Okta.
Go to Applications, and open the 黑料海角91入口 application.
In the 黑料海角91入口 application, go to General.
For Application visibility, select the following options:
- Do not display application icon to users
- Do not display application in the Okta Mobile App
Go to Provisioning, then click Configure API Integration.
Select Enable API Integration.
Paste the API Key that you copied from the 黑料海角91入口 Administrator Portal.
Click Test API Credentials, this isn't required, but recommended.
If your optional test is successful, or if you choose not to test, click Save.
Go to Provisioning > Settings > To App, then click Edit.
(Required) Select Enable for the options you want to enable for your SCIM integration with 黑料海角91入口. You can choose to Create Users, Update User Attributes, and Deactivate Users.
(Required) For Sync Password, select Enable and Sync Okta Password.
Scroll past the Provisioning options, then click Save to apply your selected provisioning settings.

Verifying Your Integration

After you鈥檝e integrated 黑料海角91入口 with Okta, you can verify your integration by performing the following actions in Okta:

Create a user: If you鈥檙e successfully integrated, when you create a user in Okta, the user is added in 黑料海角91入口 and you'll see the user in the Users list
Update a user: If you鈥檙e successfully integrated, when you update a user in Okta, the user is updated in 黑料海角91入口. You can verify the update by viewing the user's Details panel听听
Suspend a user: If you鈥檙e successfully integrated, when you deactivate or delete a user in Okta, the user is suspended in 黑料海角91入口. You can verify the suspension by viewing the user in the听Users听list and by viewing their听Details听panel. See听Suspend and Restore User Accounts

Learn more about these actions and statuses in Getting Started: Users and User Account Status.

Troubleshooting Your Integration

If you run into issues during your verification of the integration, you can troubleshoot in the following ways:

Check your provisioning selections: Make sure you selected the provisioning option for the action you鈥檙e performing. For example, make sure that you have selected听Update User Attributes听if changes you鈥檙e making to users in Okta aren鈥檛 updating in 黑料海角91入口
Check your sync password selection: Make sure you鈥檝e selected the听Sync Okta Password听option for听Sync Password听

Migration Steps

To create a new instance of 黑料海角91入口 in Okta:

Log in to your Okta org as an administrator.
Select to view the Classic UI.
Click Add Applications.

Search for 黑料海角91入口, then select the application.

Click Add.
Configure the new application with provisioning as described in Enabling and Configuring SCIM Integration in Okta.

Managing Password Resets with Okta and 黑料海角91入口 Managed Devices

In this configuration, Okta will export Users, attributes, and passwords to 黑料海角91入口 through the OIN App. Passwords should be set or reset within Okta once this configuration has been enabled. 黑料海角91入口 will receive these passwords from Okta when a user resets within their Okta user portal. If you are additionally leveraging 黑料海角91入口 to manage your macOS, Windows, and Linux devices, you must consider the following to ensure that your users utilize and know the best practices for password resets.

With this integration, all passwords must be reset within Okta. If passwords are changed in 黑料海角91入口, they will not be exported back to Okta and will result in discrepancies between the user鈥檚 Okta and 黑料海角91入口 passwords.

Managing Password Resets and 黑料海角91入口 Managed MacOS Devices

There can be several workflows when resetting passwords within this configuration. When devices are managed by 黑料海角91入口, passwords should be reset in Okta and later confirmed on the device. Ensure that the following best practices are leveraged when users commit a password reset within Okta.

Additionally, 黑料海角91入口 requires macOS devices to be online during the password change in Okta so that the device will receive the new password via the 黑料海角91入口 Agent. This can be achieved when users are logged into their device and change the password within a browser window. The 黑料海角91入口 Tray App then requests a confirmation of the password change. See the workflow diagrams below.

Password Reset with Okta and a Single MacOS Device (Online) - Recommended

In this diagram, a user resets their password in a browser window on their 黑料海角91入口 managed macOS device. This sends the password to 黑料海角91入口 which updates their 黑料海角91入口 User Password. Within 60 seconds, their macOS 黑料海角91入口 Device Agent checks in with 黑料海角91入口, receives the new password hash, and displays a notification. The User must confirm their password in order for the FileVault (SecureToken) password and User Login password to be synced within the macOS keychain.

Password Reset with Okta and a Single MacOS Device (Offline) - Not Recommended

黑料海角91入口 recommends that users change their passwords while logged in to their primary macOS device. If the user鈥檚 macOS device is offline, additional steps must be taken to ensure the password is updated in macOS. The workflow shown in the previous diagram is not recommended unless absolutely necessary.

When a user changes their password in Okta, while their macOS device is offline, Okta sends the updated password to 黑料海角91入口. 黑料海角91入口 updates the user鈥檚黑料海角91入口 password to the new Okta password. Because the macOS device is offline, no updates are received until FileVault is unlocked.

When the user cold-boots their macOS device, FileVault prompts for a password. The user must enter the previous password鈥搕hat is, the one they used before the password reset in Okta. This is because the macOS device is encrypted, the NIC is not initialized, and the 黑料海角91入口 Agent is not active until FileVault is unlocked.

Once the user has unlocked FileVault using their previous password, the 黑料海角91入口 Device Agent will run, connect to the internet, and receive the new password hash from 黑料海角91入口. The user will see a second login prompt asking them for their previous and new password. The user should use the previous password they just used to unlock the Filevault Window and the new password they鈥檝e just reset in Okta.

If typed correctly, the user is then logged into their profile and the macOS keychain is synced and updated appropriately.

Password Reset with Okta and Multiple MacOS Devices (Online) - Recommended

In the diagram above, a user resets their password within a browser window on their primary 黑料海角91入口 managed macOS device. This sends the password to 黑料海角91入口 which updates their 黑料海角91入口 User Password. Once their macOS 黑料海角91入口 Device Agent checks in with 黑料海角91入口, it receives the new password hash and displays a notification. The user must confirm their password in order for the FileVault (SecureToken) password and User Login password to be synced in the macOS keychain.

For the second macOS device, the user performs a login where the User Login prompt requests their previous and new password. This updates the macOS keychain to utilize the new password appropriately.

黑料海角91入口 recommends that the second or additional macOS devices be online and past the FileVault Login so the 黑料海角91入口 Device agent and the NIC are active and initialized. It is not recommended to have the additional macOS devices offline during a password reset operation in Okta.

Password Reset with Okta and Multiple MacOS Devices (Online/Offline) - Not Recommended

Important:

黑料海角91入口 recommends only using this workflow if it is absolutely necessary to ensure proper password syncing.

In the diagram above, a user resets their password within a browser window on their primary 黑料海角91入口 managed macOS device. This sends the password to 黑料海角91入口 which updates the 黑料海角91入口 User Password. Once the macOS 黑料海角91入口 Device Agent checks in with 黑料海角91入口, it receives the new password hash and displays a notification. The user must confirm their password in order for the FileVault (SecureToken) password and User Login password to be synced within the macOS keychain.

For the second macOS device, the user cold-boots their macOS device. FileVault will prompt for a password. This is the password the user used before the password reset in Okta. This is because the macOS device is encrypted, the NIC is not initialized, and the 黑料海角91入口 Agent is not active until after FileVault is unlocked.

Once the User has unlocked FileVault using their previous password, the 黑料海角91入口 Device Agent will run, connect to the internet, and receive the new password hash from 黑料海角91入口. The user will see a second login prompt asking for their previous and new passwords. The user should use the previous password they just used to unlock the Filevault Window and the new password they鈥檝e just reset within Okta.

黑料海角91入口 recommends that the second or additional macOS devices be online and past the FileVault Login so the 黑料海角91入口 Device agent and the NIC are active and initialized. It is always best practice to have the additional macOS devices online during a password reset operation in Okta.

Password Reset with Okta and Windows Devices

In the diagram above, a user resets their password within a browser window on their 黑料海角91入口 managed Windows device. This sends the password to 黑料海角91入口 which updates the 黑料海角91入口 User Password. Once the 黑料海角91入口 Device Agent checks in with 黑料海角91入口, it receives the new password hash and updates the local password hash within Windows. The next time Windows requests a password, it will be using the new password the user just set.

Password Reset with Okta and Linux Devices

In the diagram above, a user resets their password within a browser window on their 黑料海角91入口 managed Linux device. This sends the password to 黑料海角91入口 which updates their 黑料海角91入口 User Password. Once the 黑料海角91入口 Device Agent checks in with 黑料海角91入口, it receives the new password hash and updates the local password hash within Linux. The next time Linux requests a password, it will be using their new password they鈥檝e just set.

Additional Resources:

Walk through a guided simulation for

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case

黑料海角91入口