SCIM

Configure SCIM for Okta

In this article, you’ll learn how to configure SCIM for Okta. Configuring SCIM for Okta allows you to use Okta to manage users in your KSAT console. For information on how to enable SCIM for your KSAT console, see our SCIM Configuration Guide.

The instructions below are for third-party software. If you experience issues with user provisioning in Okta, we recommend reaching out to Okta for specific instructions. You can also contact our support team and we will be happy to assist you.

Important:Some customers may not have the ability to enable SCIM provisioning on custom apps. If the option does not display, you will need to contact Okta support to have them enable this feature for your organization. For more information on this, see Okta's Add SCIM provisioning to app integrations article.

Configuring SCIM

After you have configured your SCIM settings in your KSAT Account Settings, you are now ready to configure SCIM for Okta. To configure SCIM for Okta, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click Browse App Catalog
  3. In the search bar, enter “KnowBe4” to filter the results.
  4. Select the KnowBe4 app.
Note: If you already have a KnowBe4 SAML app in Okta, you can leave this app as-is.
Important: If you’re adding the provisioning capability to an already existing custom SAML app, you’ll need to provision the existing users before they can log in. To provision existing users, you’ll need to go to the Assignments tab on the app’s configuration page and select Provision User.
  1. Click Add Integration.
  2. Edit the name and settings, if you would like.
  3. Click Done.
  4. Navigate to the Provisioning tab.
  5. Click the Integration subsection.
  6. Click Configure API Integration.
  7. Select the Enable API integration check box.
  8. Paste the Tenant URL from your KSAT Account Settings into the SCIM connector base URL field. To learn how to access your Tenant URL, see the Configuring SCIM section of our SCIM Configuration Guide.
  9. Paste the SCIM token from your KSAT Account Settings into the API Token field. To learn how to access your SCIM Token, see the Configuring SCIM section of our SCIM Configuration Guide.
  10. Click Test API Credentials.
  11. A message will display to notify you whether the test succeeded or failed. If the test succeeded, click Save.
  12. Now that you have set up the connection between your KSAT console and Okta, you can enable the services that you want to manage through Okta. To get started, click To App.
  13. Click Edit on the right side of the Provisioning to App section.
  14. Select the Enable check box for each feature that you would like to use.
Important: Pushing groups in Okta has some limitations that may affect your SCIM operation. For more information on this issue, see Okta’s About Group Push article.
Important: We do not currently support Sync Password. Any passwords that are sent with this setting will not be accepted.

After you have configured SCIM for Okta, you will need to choose which users to sync. To learn more about syncing users through Okta, see the Defining Which Users and Groups to Sync section below.

Defining Which Users and Groups to Sync

After you have followed the steps in the Configuring SCIM section above, you can define which users and groups you would like to sync. Defining which users and groups to sync is required before you can sync users from your identity provider.

Important:If you define groups, we recommend leaving additional group attributes blank. If you leave these additional attributes blank, individual users' attributes will be synced in place of the blank attributes. If you set up a group attribute for the following fields, the group attribute will override any individual user attributes for the users assigned.

To define which users and groups to sync, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Navigate to the Assignments tab.
  4. Click Assign to select which users you would like to sync.
  5. Click either Assign to People or Assign to Groups, depending on whether you want to define users or groups.
  6. Select the users or groups that you would like to sync.
Important: For your first sync, we recommend that you only select a few users or groups.
  1. Click Assign.
  2. After you select the user or group that you would like to sync, click Save and Go Back.
  3. After you’ve added all the users and groups that you would like to include, click Done.

Any users and groups you selected will now display in the Assignments tab.

Defining Which Groups to Sync

To sync groups and group memberships from Okta to your KSAT console, follow the steps below.

Important:We do not currently support the Push now button. Clicking this button may remove memberships from selected groups.
  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Push Groups.
Important: Okta does not support using the same groups for assignments and group push. For more information, see Okta’s About Group Push article.
  1. From the drop-down menu that opens, select Find groups by name.
  2. Enter the names of groups you would like to sync.
  3. Click Save.

Attribute Mappings

In Okta, there are attribute mappings that you can customize in order to define which fields sync between Okta and your KSAT console. To modify these attribute mappings, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Click To App.
  5. Scroll down to Attribute Mappings.
  6. Make the changes that you would like to make.
  7. Save your changes.
Important:We recommend that you download a CSV file from the Users tab in your KSAT console to have a backup of all user field info in case of an unexpected error.

You may have fields in your KSAT console that you don’t want to update from Okta. As a best practice, we recommend that you remove these attribute mappings so that they aren’t updated during an Okta sync.

For more information about Okta attribute mappings, see the Advanced Configuration Options section below.

Starting Your Sync

After you’ve configured your SCIM settings and added the users and groups that you want to sync, you can start the sync. After you’ve started the first sync, syncs from Okta will occur automatically. You can also manually force a sync from your Okta portal at any time.

Note: Note: If you have more than several thousand users in your SCIM provisioning application, it’s likely all of your users won't be included in your initial sync. Instead, the users will be synced to your account in stages. We recommend that you keep user provisioning in Test Mode until you see only a few changes between your sync reports. Waiting until you only see a few changes helps prevents users from being archived in your KSAT console. Additionally, syncing group memberships can take longer than syncing users. If you have a larger account, you can expect to see periodic syncs in your KSAT console.

To start your sync, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Click Force Sync.

The sync will be initiated immediately. After your initial sync, syncs will occur automatically when you change user information in Okta.

Important:Once you are satisfied that your users have synced correctly, you’ll need to turn off Test Mode in your KSAT Account Settings. Turning off Test Mode will allow users to be added and archived during the next sync. For more information about Test Mode, see our SCIM Configuration Guide.

Once your sync has started, you can view the sync status and learn about any errors from the Provisioning tab in your KSAT console. To learn more about the Provisioning tab, see our How to Use the Provisioning Tab article.

Advanced Configuration Options

You can customize your Okta configuration by changing default field mappings or mapping custom KnowBe4 fields. For more information about customizing your Okta configuration, see the subsections below.

Important:Email aliases are not currently supported by SCIM provisioning. 

Changing the Default Field Mappings

You have the option to change the default field mappings. The default field mappings are listed in the table below:

KSAT Field SCIM Attribute Okta Field
Email userName userName
First Name givenName user.firstName
Last Name familyName user.lastName
Phone Number primaryPhone user.primaryPhone
Location formatted user.postalAddress
Division division user.division
Employee Number employeeNumber user.employeeNumber
Job Title title user.title
Organization organization user.organization
Department department user.department
Mobile Phone Number mobilePhone user.mobilePhone
Manager Display Name managerDisplayName user.manager
Manager Email managerEmail user.managerId
KSAT Field Okta Field SCIM Attribute
Time Zone N/A N/A
Extension N/A N/A
Language N/A N/A
Comment N/A N/A
Employee Start Date N/A N/A

To change the default field mappings, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Select To App.
  5. Navigate to the Attribute Mappings section.
  6. Click the pencil icon to map a new Okta field to the SCIM attribute.

Mapping Custom Fields

You also have the option to map custom fields to sync with your KSAT console.

These fields are not mapped by default, but you can add them to your Okta platform by following the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Scroll down and click on Show Unmapped Attributes.
  5. Click the pencil icon next to any of the attributes that you would like to add.
  6. From the Attribute value drop-down menu, select the Okta attribute that you would like to map to each custom field.
  7. Click Save.
Note: If you are configuring a Custom Date attribute, the date must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.

If you need any help using this feature, please contact our support team.

Can't find what you're looking for?

Contact Support