Configuring a SCIM Link Between Moxion and Okta
SCIM (Standard for Cross-Domain Identity Management) 2 is a standard which allows the pushing of users created in Okta into Moxion. This means that users onboarded and offboarded in Okta will automatically be added and retired in Moxion.
When using SCIM, Okta becomes the Source of Truth about users. Okta will be the only place that users are created, onboarded and offboarded. Generally speaking, it will no longer be possible to create ad-hoc users in Moxion. We also support SCIM push groups to update a nominated Moxion team with the members of an Okta group. As users are added and removed from that Okta group, the Moxion team is kept up to date.
Security administration of users (assignment of permissions, teams etc) is still performed within the Moxion webapp, but the actual creation and deletion of the users themselves is handled in Okta.
You will need:
- An API user that has adequate permissions to add and remove users from a company. In effect, this means that that user must be in the Moxion Company Admins team. Removing this user from the Company Admins team may break SCIM.
- This API user must also be enabled for SCIM. This is a company-level setting that is made by a Moxion system administrator.
- SCIM Gateway credentials, which will be established by a Moxion system administrator. Moxion will add appropriate security configuration to the Moxion SCIM server, and give you the relevant URLs and credentials that will be needed for the Okta setup.
Moxion can assist with the process of setting up an API user.
Setting up SCIM in Okta
This process is performed by an Okta administrator. Begin by logging into the Okta admin console. Switch the Okta administration console into Classic Mode.
Add an Application. Search for and select SCIM 2.0 Test App (Basic Auth). Add this app.
In the General Settings page, set the fields to the following:
|Application Label||Okta to Moxion SCIM Gateway|
|Application visibility||Off for all options|
Select the Provisioning page and click Configure an API Integration:
Check the Enable API Integration box.
Fill in the fields as follows:
|SCIM 2.0 Base URL||As provided by Moxion|
|Username||As provided by Moxion|
|Password||As provided by Moxion|
Click Test API Credentials and verify the connection is good.
When the provisioning setup has been accepted, navigate to the Provisioning > To App tab and click Edit.
Set the fields as follows:
|Update user attributes||Enable|
|Sync password||Off (Disable)|
|Profile mappings||Leave as default|
The default settings on the To Okta and Integration tabs do not need to be changed.
Navigate to the Assignments Tab. Add your Moxion Users (or equivalent) group as an assignment. This means that Okta users that are assigned to this Group will be SCIM provisioned.
At this point, any users created in Okta will be automatically provisioned into Moxion. you will see them appear in the Participants panel in the Moxion Webapp, although they will not be assigned to any teams or folders by default. Auto-assignment to teams can be accomplished by configuring Push Groups.
Configuring Push Groups
SCIM Push Groups may be configured to keep Moxion teams up to date with Okta groups. As the membership of a pushed Okta group changes, the Moxion team members will be updated to match.
In order to use this feature, you must have:
- An Okta group with members you wish to push across to a Moxion team.
- A pre-existing Moxion team to link your Okta group to. The SCIM integration does not support creating teams from Okta groups, as Okta groups lack sufficient security context information to meaningfully create a Moxion team.
Navigate to the Push Groups tab. Always start by clicking the Refresh App Groups button.
To set up a new Push Group, drop down the green Push Groups button and select Find Groups by Name
- Search for the Okta Group you wish to push.
- Choose Link Group (not Create Group)
- From the dropdown, choose the Moxion Team to update.
- Click Save
- At this point, the Push Group will engage and start updating the nominated Moxion team. You can monitor the current status of the push groups from the Push Group tab.