Customers using SAML single-sign-on with Okta are now able to leverage TerraTrue’s SCIM functionality to centralize and automate the user life-cycle directly from their identity provider. TerraTrue’s SCIM implementation supports provisioning and de-provisioning of users, as well as activation and suspension. Contact us at firstname.lastname@example.org to learn more.
The following provisioning features are supported:
- Push New Users: New users created through Okta will also be created in TerraTrue.
- Push Profile Updates: Updates made to the user’s profile through Okta will be pushed to TerraTrue.
- Push User Deactivation: Deactivating the user or disabling the user’s access to the application through Okta will deactivate (delete) the user in TerraTrue. Users can also be suspended, leaving their data intact but the user unable to sign in. For both deactivation and suspension, all existing login sessions for that user are terminated.
- Import Users: New users created in TerraTrue may be imported to Okta.
Before you proceed further in configuring this method of provisioning, check that the following are all true and reach out to email@example.com with any questions:
- You are using TerraTrue with Okta single-sign-on. Provisioning may not work correctly when you are using password authentication or Google authentication for your TerraTrue instance.
- You are an administrator on TerraTrue in order to have the access to configure the provisioning settings.
- You have the appropriate access to manage the TerraTrue application on Okta.
Step 1: Get the SCIM API Key from TerraTrue
In TerraTrue, go to Organization Settings > Authentication > SCIM or visit https://launch.terratrue.com/settings/auth/scim.
Next, enable the “SCIM Configuration” toggle and click “Copy API Key” to copy the SCIM API Key.
Step 2: Configure the TerraTrue application in Okta
Verify username format
Under the Sign On application tab in Okta, verify that the “Application username format” is set to “Email” as shown below.
Under the Provisioning application tab in Okta, click on the “Configure API integration” button as seen below and then check the “Enable API integration” checkbox.
Save the API key in Okta
Paste the API key obtained from the TerraTrue org setting into the API Token field and uncheck the “Import Groups” checkbox. The Provisioning application tab in Okata would then look like the below. Click the ‘Save’ button and you are done.
Configure provisioning to App
Still under the Provisioning tab, click on “To App” on the SETTINGS left-side panel and check the three boxes entitled Create Users, Update User Attributes, and Deactivate Users. Your screen will then look like the below and you are done.
Troubleshooting and Tips
Do reach out to firstname.lastname@example.org for any help ensuring that your provisioning is working correctly.
TerraTrue provides a revision history of all changes to a user’s account visible to any TerraTrue administrator at the link below. All user changes made as a result of SCIM provisioning will be shown with the Actor column being “Scim System User”.
Lastly, TerraTrue sets the user’s display name based on the first name and last name received during the first user sync. Subsequent changes to the user’s display name may be made by an administrator in the user org setting.