<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=691116991096043&amp;ev=PageView&amp;noscript=1">
Skip to content
  • There are no suggestions because the search field is empty.

Configure SCIM for Okta

This article explains how to configure SCIM (System for Cross-domain Identity Management) integration between Okta and Gatekeeper.

   Take Control

   Estimated Read Time: 15 minutes

Sections in this article:

Note: This article focuses on setting up SCIM integration using Okta. For generic information on SCIM, including best practices and troubleshooting steps, refer to the Introduction to SCIM Integration with Gatekeeper.

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard used to automate the provisioning and management of users. It enables identity providers (IdPs), such as Okta, to securely synchronise user data with Gatekeeper, helping to ensure consistency and reduce manual tasks.

Supported SCIM Operations

The following SCIM operations are supported by the Gatekeeper Okta application:
  • User provisioning (Create, update, and delete)
  • User activation and deactivation
  • User profile synchronisation
  • Group push (Create, update, and delete)

Note: The User Import SCIM operation in Okta is not supported by the Gatekeeper Okta application.

Configuration

Permissions Required for Setup

To follow the steps, you’ll need:

  • An Okta account.
  • Appropriate admin roles in Okta (i.e. to create applications and manage group assignments).
  • Global Administrator permissions in Gatekeeper, with the Configuration additional permission.

Step 1: Set the Fallback Team and Mapping

The fallback team is where users will be assigned if their groups or permissions are deleted. The default mapping should grant only minimal permissions. To do this: 

  1. From the navigation menu, expand Settings then click Configuration.
  2. Click System for Cross-domain Identity Management (SCIM).
  3. Select the relevant team from the Select Fallback Team dropdown list.
  4. Click the pencil icon on Default Mapping.
  5. Select the relevant permissions, then click Save

scim default mapping

Additionally, you can control the default email report preferences applied when a user is first provisioned via SCIM. To manage this, enable or disable the Owned by Me and All Reports toggles as required.

report toggles

Note: These settings apply only the first time a user is provisioned. Gatekeeper will not overwrite the saved preferences of existing users.

Step 2: Set Up the Application in Okta

The next step is to create a new application in Okta to enable the SCIM connection with Gatekeeper.

  1. Log in to the Okta Admin Console.
  2. Navigate to Applications.
  3. Click Browse App Catalog.
  4. Search for Gatekeeper
  5. Click the official Gatekeeper Okta application.
  6. Click Add Integration.
  7. Fill in the following required fields:
    1. Application Label: Give the application a meaningful name.
    2. GK Region: Enter the region value from your tenant's URL. This field is case-sensitive. Available values are: apac (Asia-Pacific), ca (Canada), eu (EMEA), us (United States). For example, the value from https://eu.gatekeeperhq.com/3222/executive-dashboard is eu.
    3. Tenant ID: Enter the numeric ID from your tenant's URL. Ex: the value from https://eu.gatekeeperhq.com/3222/executive-dashboard is 3222.
  8. Click Done.

Step 3: Configure Okta SSO

To enable user login using Okta, you must configure the Okta SSO Application and Gatekeeper. To do this, follow the instructions in Configure Okta SSO.

 Step 4: Configure SCIM Provisioning

With SSO configured, the next step is to set up SCIM provisioning to automate user management between Okta and Gatekeeper.

  1. In your Gatekeeper tenant, from the navigation menu, expand Settings, then click Configuration.
  2. Click System for Cross-domain Identity Management (SCIM), then click Generate API Key.
  3. Copy the API Key. For security reasons, you won't be able to view the key again after clicking Copy & Save.
  4. Return to Okta, then navigate to the Provisioning tab and click Configure API Integration.
  5. Configure the settings as follows:
    1. Enter the generated API Key into the API Token field.
    2. Deselect the Import Groups checkbox
    3. Click Test API Credentials.
  6. From the Provisioning tab, navigate to To App to configure the following settings, then click Save:
    1. Enable Create Users.
    2. Enable Update User Attribute.
    3. Enable Deactivate Users.
    4. Disable Sync Password. Users will use SSO to log in.

Step 5: Gatekeeper Team Name Attribute

By default, Gatekeeper creates the team name attribute and maps it to the Department attribute automatically. To change this mapping, within your Okta application, navigate to Profile Editor, then click Mappings.


    Note: The department/alternative attribute name in Okta must match the team name in Gatekeeper exactly. This match is case sensitive. 

    Step 6: Assign Users or Groups

    Once provisioning is configured, you can assign users or groups to the SCIM-integrated application in Okta.

    Note: Groups provisioned via SCIM are managed entirely by your IdP. The following actions are not available in Gatekeeper for SCIM-provisioned groups, by design:
    • You cannot rename a SCIM-provisioned group directly in Gatekeeper. Group names are controlled by the IdP, and update automatically when changed in Okta.
    • You cannot manually add or remove members from a SCIM-provisioned group in Gatekeeper. Membership is managed in Okta, and pushed to Gatekeeper via the group push operation.
    This ensures Okta remains the single source of truth for group names and membership.

    Step 7: Verify Provisioning in Gatekeeper

    After assigning users or groups in Okta, verify that they have been successfully provisioned into Gatekeeper.

    1. In Gatekeeper, from the navigation menu, expand Settings then click Configuration.
    2. Click System for Cross-domain Identity Management (SCIM).
    3. You should see the provisioned group and user appear. The system applies the default permissions initially.
    4. Click the pencil icon for the group to configure group permissions (e.g. Global Collaborator or Administrator), then click Save.

    Note:

    • If a user is already synced, and you later update their group’s permissions, the user will automatically inherit the new permissions.

    • When a user belongs to multiple groups, Gatekeeper will:

      • Merge all assigned permissions.

      • Grant the highest privilege level among all groups.

      For example, a user in both Global Collaborator and Global Administrator groups will be assigned as  Global Administrator, as this is the highest permission.

    Manage Groups in Gatekeeper 

    You can manage groups in Gatekeeper: 

    1. From the navigation menu, expand Settings, then click Configuration.
    2. Click System for Cross-domain Identity Management (SCIM).

    Once a group has pushed from Okta, it will appear in the table.

    Edit Mappings for IdP Groups in Gatekeeper

    To manage the permissions that will apply to users in that group: 

    1. Click the pencil icon on the relevant group.
      scim group mapping
    2. Select the groups and permissions required.
    3. Click Save.

    Note: The IdP groups can be assigned:


    View Users in an IdP Group

    To view which users have been synced as part of an IdP group, click the name of the IdP Group.

    The table displays all active and pending users belonging to this IdP Group. Archived users are not displayed. The following information is included to help with troubleshooting and group membership audits:

    • Name: click this link to navigate to the user's profile page
    • Email
    • Status: Active or Pending
    • Team: the Gatekeeper team the user belongs to
    • Other IdP groups: all other groups the user is a member of
    • SCIM ID: the unique identifier assigned by the IdP

    Scim groups

    Remove Users

    You cannot manually add or remove members from a SCIM-provisioned group in Gatekeeper. Membership is managed in Okta, and pushed to Gatekeeper via the group push operation. Removing a user from the group in Okta will revoke their Gatekeeper access.