Overview

Customers using SAML single-sign-on with Okta are now able to leverage TerraTrue’s SCIM functionality to centralize and automate the user life-cycle directly from their identity provider. TerraTrue’s SCIM implementation supports provisioning and de-provisioning of users, as well as activation and suspension. Contact us at hello@terratrue.com to learn more.

Features

The following provisioning features are supported:

  • Push New Users: New users created through Okta will also be created in TerraTrue.

  • Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to TerraTrue.

  • Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Okta will deactivate (delete) the user in TerraTrue. Users can also be suspended, leaving their data intact but the user unable to sign in. For both deactivation and suspension, all existing login sessions for that user are terminated.

  • Import Users: New users created in TerraTrue may be imported to Okta.

Prerequisites

Before you proceed further in configuring this method of provisioning, check that the following are all true and reach out to hello@terratrue.com with any questions:

  1. You are using TerraTrue with Okta single-sign-on. Provisioning may not work correctly when you are using password authentication or Google authentication for your TerraTrue instance.
  2. You are an administrator on TerraTrue in order to have the access to configure the provisioning settings.
  3. You have the appropriate access to manage the TerraTrue application on Okta.

Configuration Steps

Step 1: Get the SCIM API Key from TerraTrue

In TerraTrue, go to Organization Settings > Authentication > SCIM or visit https://launch.terratrue.com/settings/auth/scim.

Next, enable the “SCIM Configuration” toggle and click “Copy API Key” to copy the SCIM API Key.

Step 2: Configure the TerraTrue application in Okta

Verify username format

Under the Sign On application tab in Okta, verify that the “Application username format” is set to “Email” as shown below.

Enable provisioning

Under the Provisioning application tab in Okta, click on the “Configure API integration” button as seen below and then check the “Enable API integration” checkbox.

Save the API key in Okta

Paste the API key obtained from the TerraTrue org setting into the API Token field and uncheck the “Import Groups” checkbox. The Provisioning application tab in Okata would then look like the below. Click the ‘Save’ button and you are done.

Configure provisioning to App

Still under the Provisioning tab, click on “To App” on the SETTINGS left-side panel and check the three boxes entitled Create Users, Update User Attributes, and Deactivate Users. Your screen will then look like the below and you are done.

Troubleshooting and Tips

Do reach out to hello@terratrue.com for any help ensuring that your provisioning is working correctly.

TerraTrue provides a revision history of all changes to a user’s account visible to any TerraTrue administrator at the link below. All user changes made as a result of SCIM provisioning will be shown with the Actor column being “Scim System User”.

https://launch.terratrue.com/settings/history

Lastly, TerraTrue sets the user’s display name based on the first name and last name received during the first user sync. Subsequent changes to the user’s display name may be made by an administrator in the user org setting.