Set up an App in Okta for User & Group Provisioning
Last modified on September 13, 2024
User provisioning provides you with the ability to continue to manage your organization’s users in one place, and have those users populate into StrongDM. Provisioning prevents the need to create a duplicate set of users in StrongDM that already exist in your identity management service. When provisioning users, the users are set up in the external service and are then synced to StrongDM. The provisioned users are not able to be individually edited within StrongDM. Changes to provisioned users are made at the source and are synced to StrongDM afterward. These users in StrongDM are given access to resources in the same manner as native users: by assigning them to roles that contain the desired access permissions.
This guide will show you how to deploy an Okta app integration using System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled a SCIM app integration with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between Okta and StrongDM.
Requirements
- If you are currently using the Okta script we provided to do directory sync through the StrongDM API, please disable that before activating the SCIM Provisioning integration.
- You must be a StrongDM user with the Administrator permission level and a user with administrator rights in your Okta account.
Supported Features
The following provisioning features are supported by StrongDM:
- Push Users: Users in Okta that are assigned to the StrongDM application within Okta are automatically added as users in StrongDM.
- Update User Attributes: When user attributes are updated in Okta (first name, last name, email address), they will be updated in StrongDM.
- Deactivate Users: When users are deactivated in Okta or unassigned from the StrongDM application, they will be Suspended within StrongDM.
- Push Groups: Groups and their users in Okta can be pushed to StrongDM as Roles (group information from Okta can be used to map users to StrongDM Roles).
- Import Groups: Roles from StrongDM can be imported into Okta as Groups at setup.
- Import Users: Users from StrongDM can be imported into Okta at setup.
Step-by-step Configuration Instructions
These instructions walk you through the process of adding a SCIM application in Okta and grabbing your token from the StrongDM Admin UI. We recommend that you keep both Okta and the Admin UI open in your browser so you can easily tab between them.
- Log in to your Okta account.
- From the Admin Console, go to Applications > Applications and click Browse App Catalog (if you have already added the StrongDM app through our Okta SSO guide you can skip to Step 7).
- Search for and select the “StrongDM” app, then click Add.
- Enter the Base URL for API requests to your StrongDM region:
- Change the label for the app if you’d like, then click Done.
- On the Sign On tab, click Edit in the upper-right, then in the Credentials Details section set Application username format to “Email”.
- Click Save.
- Select the Provisioning tab and then click Configure API Integration.
- Select the checkbox for Enable API Integration.
- API Token: Get the StrongDM SCIM token by following these steps:
Go to the StrongDM Admin UI’s Settings > User Management > Provisioning section.
Set the SCIM Provider option to Okta.
Click Activate SCIM and then copy and save the token generated.
Go back to your Okta console and fill the API Token field with the token you copied.
For example:
aabb12fjfl445...jkhksjhf98345un
- Click Test API Credentials to test whether the integration can connect to the SCIM API. If there are errors, make sure your base URL and API token are correct and try again.
- Click Save to finish the integration setup.
Configure Provisioning options
Next, configure SCIM options so that the integration knows how to handle provisioning of the users and groups from Okta into StrongDM.
- On the Provisioning tab of the Okta integration, select the To App tab from the left-hand side and then click Edit.
- Select the checkboxes to enable the following options:
- Create Users: This enables Okta to create Users in StrongDM, based on assigned users in Okta. If Okta detects an existing StrongDM User that has the same email address as an existing Okta user, Okta will take control of that StrongDM User. If there isn’t an existing StrongDM User with that email, Okta will create a new User in StrongDM.
- Update User Attributes: This enables Okta to update the name and email addresses of StrongDM Users based on changes to that User in Okta.
- Deactivate Users: This enables Okta to suspend Users in StrongDM when they are unassigned from the application within Okta. These Users will also be reinstated if they are assigned back to the StrongDM application within Okta.
- Select Save.
Setup is now complete!
Troubleshooting and Tips
Due to the nature of how Okta integrates through SCIM 2.0, there are a few limitations and usage tips to be aware of.
Your Initial Provisioning of Users and Groups
Once you’ve configured provisioning within Okta, follow these steps in order to sync your initial set of Okta users and groups with StrongDM.
Go to the Assignments tab, click Assign, and then choose the Assign to Groups option.
- Assign to Groups lets you assign groups of Okta users to StrongDM.
- The Okta users that you select here will be assigned to StrongDM. If they already exist in StrongDM, Okta will take control of them. If they don’t already exist in StrongDM, Okta will create them.
- If you’re using Okta as your SSO with StrongDM, we recommend using a shared Okta group to assign users to both of these StrongDM apps.
Go to the Push Groups tab, click the Push Groups button, and choose the Find groups by name option.
- Enter text in the box to search for the Okta groups you want to add to StrongDM as Roles.
- If a StrongDM Role with that same name doesn’t already exist, you will be provided the option to create that Role or link this group to an existing StrongDM Role of a different name.
- Select Save & Add Another to keep going, or just Save when you are done adding Okta groups.
Please note:
An Okta user needs to be both assigned to StrongDM and part of a Okta group pushed to StrongDM in order for the associated StrongDM User to be assigned to the StrongDM Role.On the Provisioning tab in the application, scroll down and click Force Sync to initiate the sync process for the first time. The first sync may take some time to complete, so just wait and let the process complete.
In the StrongDM Admin UI:
- Go to the Users page to confirm that Users look as expected.
- Go to the Roles page to check that Roles look as expected.
Individual administrator account(s)
It is recommended that your organization have at least one administrator privileged User who is assigned individually within Okta, so that you always have access to an account with administrator privileges. This could be useful in a “break glass” situation in which a group assignment(s) is accidentally removed from Okta, causing administrative users to be suspended and creating a “locked out” situation. To assign a User, go to Okta’s Assignments tab and use the Assign to People option.
Okta Provisioning Management
After the initial sync is complete, you should see that the Users and Roles in the StrongDM Admin UI match the Okta users and groups that you chose in the previous steps.
Going forward, any changes you make in Okta will be reflected in StrongDM when you:
- Assign and unassign users from the application.
- Link and unlink groups from the application.
- Add and remove users from groups in Okta.
Information about Okta Managed Users and Groups
Users and groups that are assigned/linked to StrongDM from within Okta will be considered “Okta Managed” and are mostly read-only from a StrongDM perspective. Any time you assign a new Okta user to the StrongDM application, we recommend using the Force Sync button from the Provisioning tab in Okta.
Here’s how Okta Managed Users are handled:
- An Okta user who is unassigned from the StrongDM application will suspend that User within StrongDM.
- An Okta group that is unlinked from the StrongDM application will remove Users from that StrongDM Role within StrongDM and then delete that Role.
- An Okta user who is added to an Okta group will attach that StrongDM User to that Role in StrongDM.
Identity Aliases
If you intend to use Identity Aliases for your users, you can send multiple Identity Alias values from Okta. This section describes how to set up Okta to pass Identity Set and Identity Alias values for users when they are provisioned.
To set up Identity Aliases for your users, follow these steps.
- In Okta, add a string array attribute for Identity Aliases to the profile for the default Okta user.
- Add the required attribute to the profile for the provisioning application. The values of the attribute should be the following:
- Data type:
string array
- Display name:
Identity Aliases
- External name:
identityAliases
- External namespace:
urn:ietf:params:scim:schemas:extension:strongdm:2.0:User
- Attribute type:
Personal
- Mutability:
READ_WRITE
- Data type:
- Use the Mappings button to map the Okta attribute to the application attribute and to map the application attribute to the Okta attribute. Doing so will tell Okta what to send to StrongDM when Identity Aliases in their Okta profile change.
- Go to a user profile and enter a value for the new Identity Aliases custom array that you just created. The value of Identity Aliases must be entered as a comma-delimited set in the format
<IDENTITY_SET_NAME>,<NAME_OF_IDENTITY_ALIAS_IN_THAT_IDENTITY_SET>
(for example,rdp-set,alice-rdp-alias
).Your organization can have multiple Identity Sets, and every user can have multiple Identity Aliases, but each user is allowed to have only one Identity Alias per Identity Set. If your user has multiple Identity Aliases, enter all of them as Identity Aliases on the user’s profile.
For example, if your organization has two Identity Sets called RDP Set and SSH Set, and user Alice has a different Identity Alias for each set, add them like so:
rdp-set,alice-rdp-alias
ssh-set,alice-ssh-alias
When provisioned, the user in StrongDM will have the specified Identity Aliases, in those Identity Sets, in their user profile.
Information about user management in StrongDM
In addition to managing Users and Roles through Okta, you have the flexibility to continue managing your users and roles directly through StrongDM.
Here’s what you can do:
- Manually create Users, Service Accounts, and Roles within StrongDM—these will be identified with the sdm badge in the Admin UI indicating that they are “StrongDM Managed.”
- Attach StrongDM Managed Users and Service Accounts to both StrongDM Managed Roles and Okta Managed Roles from within StrongDM.
- Attach Okta Managed Users to StrongDM Managed Roles from within StrongDM.
- Set Permission Levels for Users within the Admin UI for both StrongDM Managed and Okta Managed Users.
- Grant access through Roles and Temporary Access for Users from within StrongDM.
If Okta suspends Users, they won’t be unassigned from StrongDM
Okta has an option to “suspend” users. Doing so will not unassign the user from the StrongDM application and therefore won’t suspend their corresponding Okta Managed User in StrongDM. Make sure to either unassign the Okta user from the application or deactivate the Okta user from within Okta in order to remove their StrongDM access as well. Okta does not communicate this information to StrongDM in any other way.
Options to avoid
When unlinking an Okta group from StrongDM, we strongly encourage you not to select the option to “Leave the group in the target app.” Selecting that option will cause the following to happen:
- The corresponding Okta Managed Role in StrongDM will persist in a read-only state.
- You won’t be able to delete the corresponding Okta Managed Role within StrongDM.
- Okta Managed Users attached to the Role will continue to have the access granted by the Role and cannot be unattached within StrongDM.
If you end up in this situation, just relink the Okta group to the StrongDM Role from within Okta. Going forward, you will be able to remove the Okta Managed Group properly.
When trying to push a Group from Okta to StrongDM, if a StrongDM Role with the same name already exists and you choose the “Create Group” option within Okta, you will get an error. In a case like this, you should click the Refresh App Groups button in Okta, then choose the “Link Group” option when pushing the Group. This will correctly link the Okta Group with the matching StrongDM Role.