Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

Okta SCIM Configuration Guide for KMSAT

Updated:

Created:

How to Configure SCIM for Okta

In this article, you’ll learn how to configure SCIM for Okta. Configuring SCIM for Okta allows you to use Okta to manage users in your KMSAT console. For information on how to enable SCIM for your KMSAT console, see our SCIM Configuration Guide.

The instructions below are for third-party software. If you experience issues with user provisioning in Okta, we recommend reaching out to Okta for specific instructions. You can also contact our support team and we will be happy to assist you.

Note: Some customers may not have the ability to enable SCIM provisioning on custom apps. If the option does not display, you will need to contact Okta support to have them enable this feature for your organization. For more information on this, see Okta's Add SCIM provisioning to app integrations article.

To learn how to configure SCIM for Okta, see the sections below.

Jump to:
Configuring SCIM

Defining Which Users and Groups to Sync

Defining Which Groups to Push

Attribute Mappings

Starting Your Sync

Advanced Configuration Options

 

Configuring SCIM

After you have configured your SCIM settings in your KMSAT Account Settings, you are now ready to configure SCIM for Okta. To configure SCIM for Okta, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click Browse App Catalog
  3. In the search bar, enter “KnowBe4” to filter the results.
  4. Select the KnowBe4 app.

Note: If you already have a KnowBe4 SAML app in Okta, you can leave this app as-is.

Note: If you’re adding the provisioning capability to an already existing custom SAML app, you’ll need to provision the existing users before they can log in. To provision existing users, you’ll need to go to the Assignments tab on the app’s configuration page and select Provision User.
  1. Click Add Integration.
  2. Edit the name and settings, if you would like.
  3. Click Done.
  4. Navigate to the Provisioning tab.
  5. Click the Integration subsection.
  6. Click Configure API Integration.
  7. Select the Enable API integration check box.
  8. Paste the Tenant URL from your KMSAT Account Settings into the SCIM connector base URL field. To learn how to access your Tenant URL, see the Configuring SCIM section of our SCIM Configuration Guide.
  9. Paste the SCIM token from your KMSAT Account Settings into the API Token field. To learn how to access your SCIM Token, see the Configuring SCIM section of our SCIM Configuration Guide.
  10. Click Test API Credentials.
  11. A message will display to notify you whether the test succeeded or failed. If the test succeeded, click Save.
  12. Now that you have set up the connection between your KMSAT console and Okta, you can enable the services that you want to manage through Okta. To get started, click To App.
  13. Click Edit on the right side of the Provisioning to App section.
  14. Select the Enable check box for each feature that you would like to use.
Note: Pushing groups in Okta has some limitations that may affect your SCIM operation. For more information on this issue, see Okta’s About Group Push article.
Note: We do not currently support Sync Password. Any passwords that are sent with this setting will not be accepted.

After you have configured SCIM for Okta, you will need to choose which users to sync. To learn more about syncing users through Okta, see the Defining Which Users and Groups to Sync section below.

Back to top

 

Defining Which Users and Groups to Sync

After you have followed the steps in the Configuring SCIM section above, you can define which users and groups you would like to sync. Defining which users and groups to sync is required before you can sync users from your identity provider.

Note: If you define groups, we recommend leaving additional group attributes blank. If you leave these additional attributes blank, individual users' attributes will be synced in place of the blank attributes. If you set up a group attribute for the following fields, the group attribute will override any individual user attributes for the users assigned.

To define which users and groups to sync, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Navigate to the Assignments tab.
  4. Click Assign to select which users you would like to sync.
  5. Click either Assign to People or Assign to Groups, depending on whether you want to define users or groups.
  6. Select the users or groups that you would like to sync.
Note: For your first sync, we recommend that you only select a few users or groups.
  1. Click Assign.
  2. After you select the user or group that you would like to sync, click Save and Go Back.
  3. After you’ve added all the users and groups that you would like to include, click Done.

Any users and groups you selected will now display in the Assignments tab.

Back to top

 

Defining Which Groups to Sync

To sync groups and group memberships from Okta to your KMSAT console, follow the steps below.

Important: We do not currently support the Push now button. Clicking this button may remove memberships from selected groups.

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Push Groups.
Note: Okta does not support using the same groups for assignments and group push. For more information, see Okta’s About Group Push article.
  1. From the drop-down menu that opens, select Find groups by name.
  2. Enter the names of groups you would like to sync.
  3. Click Save.

Back to top

 

Attribute Mappings

In Okta, there are attribute mappings that you can customize in order to define which fields sync between Okta and your KMSAT console. To modify these attribute mappings, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Click To App.
  5. Scroll down to Attribute Mappings.
  6. Make the changes that you would like to make.
  7. Save your changes.
Note: We recommend that you download a CSV file from the Users tab in your KMSAT console to have a backup of all user field info in case of an unexpected error.

You may have fields in your KMSAT console that you don’t want to update from Okta. As a best practice, we recommend that you remove these attribute mappings so that they aren’t updated during an Okta sync.

For more information about Okta attribute mappings, see the Advanced Configuration Options section below.

Back to top

 

Starting Your Sync

After you’ve configured your SCIM settings and added the users and groups that you want to sync, you can start the sync. After you’ve started the first sync, syncs from Okta will occur automatically. You can also manually force a sync from your Okta portal at any time.

Note: If you have more than several thousand users in your SCIM provisioning application, it’s likely all of your users won't be included in your initial sync. Instead, the users will be synced to your account in stages. We recommend that you keep user provisioning in Test Mode until you see only a few changes between your sync reports. Waiting until you only see a few changes helps prevents users from being archived in your KMSAT console.

Additionally, syncing group memberships can take longer than syncing users. If you have a larger account, you can expect to see periodic syncs in your KMSAT console.

To start your sync, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Click Force Sync.

The sync will be initiated immediately. After your initial sync, syncs will occur automatically when you change user information in Okta.

Important: Once you are satisfied that your users have synced correctly, you’ll need to turn off Test Mode in your KMSAT Account Settings. Turning off Test Mode will allow users to be added and archived during the next sync. For more information about Test Mode, see our SCIM Configuration Guide.

Once your sync has started, you can view the sync status and learn about any errors from the Provisioning tab in your KMSAT console. To learn more about the Provisioning tab, see our How to Use the Provisioning Tab article.

Back to top

 

Advanced Configuration Options

You can customize your Okta configuration by changing default field mappings or mapping custom KnowBe4 fields. For more information about customizing your Okta configuration, see the subsections below.

Note: Email aliases are not currently supported by SCIM provisioning. 

Changing the Default Field Mappings

You have the option to change the default field mappings. The default field mappings are listed in the table below:

KMSAT Field

SCIM Attribute

Okta Field

Email

userName

userName

First Name

givenName

user.firstName

Last Name

familyName

user.lastName

Phone Number

primaryPhone

user.primaryPhone

Location

formatted

 user.postalAddress

Division

division

user.division

Employee Number

employeeNumber

user.employeeNumber

Job Title

title

user.title

Organization

organization

user.organization

Department

department

user.department

Mobile Phone Number

mobilePhone

user.mobilePhone

Manager Display Name

managerDisplayName

user.manager

Manager Email

managerEmail

user.managerId

KMSAT Field

Okta Field

SCIM Attribute
Time Zone N/A N/A
Extension N/A N/A
Language N/A N/A
Comment N/A N/A
Employee Start Date N/A N/A

To change the default field mappings, follow the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Select To App.
  5. Navigate to the Attribute Mappings section.
  6. Click the pencil icon to map a new Okta field to the SCIM attribute.

Back to top

 

Mapping Custom Fields

You also have the option to map custom fields to sync with your KMSAT console.

These fields are not mapped by default, but you can add them to your Okta platform by following the steps below:

  1. Log in to your Okta portal and navigate to Applications.
  2. Click the SCIM application that you created in the Configure SCIM section above.
  3. Click Provisioning.
  4. Scroll down and click on Show Unmapped Attributes.
  5. Click the pencil icon next to any of the attributes that you would like to add.
  6. From the Attribute value drop-down menu, select the Okta attribute that you would like to map to each custom field.
  7. Click Save.

Note: If you are configuring a Custom Date attribute, the date must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.

If you need any help using this feature, please contact our support team.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles