How do I provision users from a third party with OKTA?
Required Feature Flags
The following feature flags and permissions are required to use this feature:
Feature Flag | Technical Name | Description |
SCIM User Provisioning |
| Enables SCIM-based automatic user provisioning from your identity provider |
Required Permissions:
Manage security settings (
admin.security.settings) β to generate the SCIM URL and secret and configure provisioning
Overview
Using the SCIM specification, you can automatically import users from your Identity Provider (such as Active Directory/EntraID or OKTA) into evaluagent.
Prerequisites
To provision users for evaluagent, you must use one of the supported third-party user management solutions:
Azure Active Directory / Entra ID
OKTA
If the solution you're using is supported, proceed through this guide to get set up and allow users to be synchronised.
Getting Started
Go to Settings > Security settings > click the SCIM Provisioning tab > click Generate.
You may see a spinning icon for a few seconds while the request is being processed.
Upon completion, you will be shown two fields:
_SCIM Provision URL_
_SCIM Secret_
Please Note
The _SCIM Secret_ will only be shown once, and thereafter, only the URL will be visible when you revisit the page. This is an intentional feature and is for the purposes of security.
Take note of the URL and the Secret displayed here, as it will be required later on when setting up your application in OKTA.
In terms of setting up on evaluagent, that's it! Next, we will look at what you need to do in OKTA.
Setting Up Within OKTA
First, ensure you have the relevant permissions in OKTA to manage users, groups, and other enterprise applications.
Creating the application
_Select - Create App Integration_ from the applications list in OKTA.
_Create_ an _App name_ in General settings, then _click Next._ Under the Configure SAML tab, add the 'Single sign-on URL' and 'Audience URI (SP Entity ID)', then _click Next_.
This will take you to the general tabs which will show the App Settings screen from where need to make sure the enable SCIM provisioning section has been selected, if not _click Edit_ and '_Enable SCIM provisioning'_.
Once enabled, _click _on the Provisioning tab and _select Edit._
Once you have done this, go into _evaluagent -> Settings -> Security settings_ tab and _select the SCIM provisioning tab and click Generate Unique SCIM URL._
The following screen will appear once generated;
Once generated, _copy the SCIM Provision URL_ and _paste the URL into the SCIM connector base URL,_ as shown below, and then _copy the SCIM Secret_ and _paste the secret_ in_to the Authorisation box._ The 'Unique identifier field for users' needs to be 'email'. Then _select 'Push New Users', 'Push Profile Updates'_ and change the _'Authentication Mode'_ to be _'HTTP Header',_ then _select save_.
Handling Third-Party Users in evaluagent
Once users are sent from OKTA to evaluagent, they're placed in a "Pending" state, and an action is required to activate them, similar to how manual user creation works.
Go to User Management > Add & edit users and review users with the Pending label.
If there are pending users that need actioning, a count in the _Pending Users_ tab shows at a glance whether any users are waiting.
When a third-party user management solution is used under a contract, manual user creation is disabled in evaluagent, as this should be handled within the third-party platform.
When a user is pending, you can click the _Pending_ status button to open the edit modal. The forename, surname, email, and username fields are locked and can't be edited. Only fields specific to evaluagent are editable.