Okta SCIM configuration

A pre-requisite for this article is configuring Okta for SAML2 SSO.

Currently the 1Password SaaS Manager OIN app does not have SCIM enabled. The updated app is currently being processed by Okta. In the mean time you may have to create a new SSO App for 1Password SaaS Manager in Okta.

Enabling SCIM for 1Password SaaS Manager in Okta

1. Go to the General tab on the 1Password SaaS Manager app in Okta.
2. Under App Settings select Edit.
3. Select the Enable SCIM provisioning checkbox, then select Save.
4. A new tab called Provisioning will appear. Select it, then select the Edit button.

Setting up the basic SCIM integration

In a separate tab, log in to SaaS Manager and select Settings > Users > Single Sign-On (SSO) > SCIM, then select Generate Token.

You will need the Base URL and the Bearer token for Okta. 

The SCIM token won't be active until you select Enable SCIM. We recommend copying the Bearer token to the clipboard before you enable. The Base URL will still be available.

Go back to Okta and fill in the following fields:

1. Paste the SaaS Manager Base URL into SCIM connector base URL.
2. Enter userName into Unique identifier field for users
3. Check Import New Users and Profile Updates, Push New Users, and Push Profile Updates.
4. For Authentication Mode choose HTTP Header
5. Paste the SaaS Manager Bearer token into the Authorization field

If you've selected Enable SCIM in SaaS Manager, you can now select Test Connector Configuration in Okta. The first four test connector options should be checked. Select Close, then select Save in Okta. 

Configuring provisioning options

After you complete the previous step, the page will refresh, and with To App selected on the left-hand side, you can now select Edit again on the Provisioning tab.

Check the following options:

• Create Users
• Update User Attributes
• Deactivate Users

Then select Save.

Importing users from SaaS Manager into Okta

If you will be sometimes inviting users from SaaS Manager directly, you will want to configure a scheduled import.

1. In Okta, select To Okta, then choose the Schedule import frequency you want and select Save.
2. You will now see a User Creation & Matching panel. We recommend changing the default values to set Auto-confirm exact matches.
3. Finally we recommend running an initial import. Navigate to the Import tab and select Import Now.

You may see a user with a "scim-" prefix. This is a SaaS Manager service account that Okta is authenticating with using the token you generated earlier. It's returned as a SaaS Manager user, but you should choose to ignore the assignment.

Select Confirm Assignments when done.

Testing the SCIM connection

You can test by creating a new Okta user and assigning them to SaaS Manager.

In SaaS Manager, go to People, and select SaaS Manager access - the new user should appear. Select the person's profile to manage their access in more detail.