Configuring a SCIM Link Between Flow Capture and Okta

SCIM (Standard for Cross-Domain Identity Management) 2 is a standard which allows the pushing of users created in Okta into Flow Capture. This means that users onboarded and offboarded in Okta will automatically be added and retired in Flow Capture. 

When using SCIM, Okta becomes the Source of Truth about users. Okta will be the only place that users are created, onboarded and offboarded. Generally speaking, it will no longer be possible to create ad-hoc users in Flow Capture. We also support SCIM push groups to update a nominated Flow Capture team with the members of an Okta group. As users are added and removed from that Okta group, the Flow Capture team is kept up to date.

Security administration of users (assignment of permissions, teams etc) is still performed within the Flow Capture webapp, but the actual creation and deletion of the users themselves is handled in Okta.

Getting started

You will need:

  • An API user that has adequate permissions to add and remove users from a company. In effect, this means that that user must be in the Flow Capture Company Admins team. Removing this user from the Company Admins team may break SCIM.
  • This API user must also be enabled for SCIM. This is a company-level setting that is made by a Flow Capture system administrator.
  • SCIM Gateway credentials, which will be established by a Flow Capture system administrator. Flow Capture will add appropriate security configuration to the Flow Capture SCIM server, and give you the relevant URLs and credentials that will be needed for the Okta setup. 

Flow Capture can assist with the process of setting up an API user.

Setting up SCIM in Okta

This process is performed by an Okta administrator. Begin by logging into the Okta admin console. Switch the Okta administration console into Classic Mode.

Add an Application. Search for and select SCIM 2.0 Test App (Basic Auth). Add this app. 

In the General Settings page, set the fields to the following:

Application Label Okta to Flow Capture SCIM Gateway
Application visibility Off for all options

Select the Provisioning page and click Configure an API Integration:

Check the Enable API Integration box.

Fill in the fields as follows:

SCIM 2.0 Base URL As provided by Flow Capture
Username As provided by Flow Capture
Password As provided by Flow Capture
Import groups On

Click Test API Credentials and verify the connection is good.

When the provisioning setup has been accepted, navigate to the Provisioning > To App tab and click Edit.

Set the fields as follows:

Create users Enable
Update user attributes Enable
Deactivate user Enable
Sync password Off (Disable)
Profile mappings Leave as default

The default settings on the To Okta and Integration tabs do not need to be changed.

Navigate to the Assignments Tab. Add your Flow Capture Users (or equivalent) group as an assignment. This means that Okta users that are assigned to this Group will be SCIM provisioned.

At this point, any users created in Okta will be automatically provisioned into Flow Capture. you will see them appear in the Participants panel in the Flow Capture Webapp, although they will not be assigned to any teams or folders by default. Auto-assignment to teams can be accomplished by configuring Push Groups.

Configuring Push Groups

SCIM Push Groups may be configured to keep Flow Capture teams up to date with Okta groups. As the membership of a pushed Okta group changes, the Flow Capture team members will be updated to match.

In order to use this feature, you must have:

  • An Okta group with members you wish to push across to a Flow Capture team.
  • A pre-existing Flow Capture team to link your Okta group to. The SCIM integration does not support creating teams from Okta groups, as Okta groups lack sufficient security context information to meaningfully create a Flow Capture team.

Navigate to the Push Groups tab. Always start by clicking the Refresh App Groups button.

To set up a new Push Group, drop down the green Push Groups button and select Find Groups by Name

  • Search for the Okta Group you wish to push.
  • Choose Link Group (not Create Group)
  • From the dropdown, choose the Flow Capture Team to update.

  • Click Save
  • At this point, the Push Group will engage and start updating the nominated Flow Capture team. You can monitor the current status of the push groups from the Push Group tab.