<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=691116991096043&amp;ev=PageView&amp;noscript=1">
Skip to content
  • There are no suggestions because the search field is empty.

Configure SCIM for Okta

This article explains how to configure SCIM (System for Cross-domain Identity Management) integration between Okta and Gatekeeper.

   Take Control

   Estimated Read Time: 20 minutes

Sections in this article:


 

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard used to automate the provisioning and management of users. It enables identity providers, such as Azure Entra or Okta, to securely synchronise user data with Gatekeeper, helping to ensure consistency and reduce manual tasks.

Configuration

Permissions Required for Setup

This article focuses on setting up SCIM integration using Okta. To follow the steps, you’ll need:

  • An Okta account.
  • Appropriate admin roles in Okta (i.e. Application Administrator to create applications, and Groups Administrator to manage group assignments).
  • Global Administrator permissions in Gatekeeper, with the Configuration additional permission.

Step 1: Set the Fallback Team and Mapping

The fallback team is where users will be assigned if their groups or permissions are deleted, for example. The Default Mapping should grant only minimal permissions. To do this: 

  1. From the navigation menu, expand Settings then click Configuration.
  2. Click System for Cross-domain Identity Management (SCIM).
  3. Select the relevant team from the Select Fallback Team dropdown list.
  4. Click the pencil icon on Default Mapping.
  5. Select the relevant permissions, then click Save

Step 2: Set Up the Enterprise Application in Okta

The next step is to create a new enterprise application in Microsoft Azure to enable the SCIM connection with Gatekeeper.

  1. Log in to the Okta Admin Console.
  2. Navigate to Applications.
  3. Click Browse App Catalog.

4. Search for Gatekeeper
    1. Search for Gatekeeper
    2. Click on the official Gatekeeper Okta application.

5. Click Add Integration

6. Fill in the following required fields. 
    1. Application Label: Give the application a meaningful name
    2. GK Region: It’s available in your tenant’s URL. 
      1. Ex: eu is the value to use from the URL https://eu.gatekeeperhq.com/3222/executive-dashboard
      2. This field is case-sensitive
        1. Available values are:
          1. apac for the Asia-Pacific region.
          2. ca for Canada.
          3. eu for the EMEA region.
          4. us for the United States.
    3. Tenant ID: It's available in your tenant’s URL.
      1. Ex: 3222 is the value to use from the URL https://eu.gatekeeperhq.com/3222/executive-dashboard.

7. Click Done.

 

Step 3: Configure Okta SSO

To enable user login using the Okta, you must configure the Okta SSO Application and Gatekeeper. To do this, follow the instructions in Configure Okta SSO.

 

Step 4: Configure SCIM Provisioning

With SAML configured, the next step is to set up SCIM provisioning to automate user management between Okta and Gatekeeper.

  1. In  your Gatekeeper tenant, go to SettingsConfigurationsSystem for Cross-domain Identity Management (SCIM) 
    1. Click the Generate API Key button.
    2. Click the Copy & Save button

2.  Click the Provisioning tab, then click Configure API Integration for your Okta application.
    1. Paste the generated API key in the Okta 
    2. Uncheck the Import Groups checkbox
    3. Click the Test API Credentials button.

3. Click: Provisioning tab → To App to configure the following settings:
    1. Enable Create Users
    2. Enable Update User Attribute
    3. Enable Deactivatre Users
    4. Disable Sync Password. Users will use SSO to log in.

4. click save.

Step 5: Adjust User Mapping

To ensure user details are mapped correctly in Gatekeeper, you’ll need to update the default user attribute mapping in Okta.

  1. Click on the Go To Profile Editor button.

2. Click on the Add Attribute button.

3. Fill up the required information
    1. Display Name: good practices suggest a meaningful name, ex: Gatekeeper Teams.
    2. Variable Name: used internally for Okta only. It should be autogenerated.
    3. External name: teamName - This name is case sensitive.
    4. External namespace: urn:ietf:params:scim:schemas:extension:gatekeeper:2.0:User
    5. Description: free text to provide additional information.
    6. Attribute type: Personal

4. Click the Save  button.

5. Click on the Mappings button.

6. Click on the Okta User to Gatekeeper App tab (or the name you called your application in Step 2: Set Up the Enterprise Application in Okta).

7. Map user.department on the Okta side with GKTeamName (or the name of the variable created in the previous step) on the Gatekeeper side.
8. Click the Save Mapping button, then the Apply Updates button.

 

Note: The department/attribute name in Okta must match the team name in Gatekeeper exactly. This match is case sensitive.

 

Step 6: Assign Users or Groups

Once provisioning is configured, you can assign users or groups to the SCIM-integrated application in Okta.

 

Step 7: Verify Provisioning in Gatekeeper

After assigning users or groups in Okta, verify that they have been successfully provisioned into Gatekeeper.

  1. In Gatekeeper, from the navigation menu, expand Settings then click Configuration.
  2. Click System for Cross-domain Identity Management (SCIM).
  3. You should see the provisioned group and user appear. The system applies the default permissions initially.
  4. Click the  pencil icon for the group to configure group permissions (e.g. Global Collaborator or Administrator), then click Save.

 

Note:

  • If a user is already synced, and you later update their group’s permissions, the user will automatically inherit the new permissions.
  • When a user belongs to multiple groups, Gatekeeper will:
    • Merge all assigned permissions.
    • Grant the highest privilege level among all groups.
  • For example, a user in both Global Collaborator and Global Administrator groups will be assigned Global Administrator, as this is the highest permission.