Guides
v2.0

SCIM Directory Sync

Suggest Edits

EnvKey Business Cloud and Business Self-Hosted offer user directory sync with SCIM. You can connect with any directory that supports SCIM, but we specifically test and provide documentation for Okta and Azure AD.

If you're attempting to use another directory and running into problems, please reach out to [email protected] and we'll be happy to help.

Directory Providers

Okta

1.) If you haven't already, first create a SAML 2.0 application for EnvKey in Okta .

2.) Setup a new SCIM provider in EnvKey.

  • In the EnvKey UI, sign in to your org, then click the Org, account, and device settings menu with your organization's name in it at the top-left of the screen. From there, click My Org. Then click on the SSO tab.

  • Under SCIM Connections, click Connect A SCIM Provider. Leave the fields on the form as their defaults, then click Next.

3.) In Okta, go to Applications, view the EnvKey SAML 2.0 application, then go to General > App Settings and Edit. Now set Provisioning to SCIM and save the settings.

4.) While still viewing the application in Okta, a new Provisioning tab will now be visible. Click this tab, then select SCIM Connection > Integration > Edit. Fill in the form:

  • For SCIM version, enter 2.0.

  • For SCIM connector base URL enter the Endpoint Base URL from the EnvKey UI.

  • For Unique identifier field for users, enter userName.

  • Enable the following Supported provisioning actions:

    • Import New Users and Profile Updates
    • Push New Users
    • Push Profile Updates

  • For Authentication Mode, select HTTP Header

  • For HTTP Header Authorization Bearer, enter the Authentication Secret from the EnvKey UI.

  • Save the form in Okta.

5.) More options will now be available in the Provisioning > Settings sidebar. You should see To App and To Okta.

  • Select To App and Provisioning to App > Edit.

  • Enable the following:

    • Create Users
    • Deactivate Users

6.) Back in the EnvKey UI, click Done.

7.) Okta normally begins syncing users to EnvKey immediately, but if it doesn't, you can click the Force Sync button under Attribute Mappings.

8.) Now when you invite a new user to EnvKey, you can select this Okta SCIM connection as your user directory, and invite from a pool of users that have been synced from Okta to EnvKey. And if a user's access is removed in Okta, they will also be removed from your EnvKey organization.

Azure AD

1.) If you haven't already, first create a SAML 2.0 application for EnvKey in Azure .

2.) Setup a new SCIM provider in EnvKey.

  • In the EnvKey UI, sign in to your org, then click the Org, account, and device settings menu with your organization's name in it at the top-left of the screen. From there, click My Org. Then click on the SSO tab.

  • Under SCIM Connections, click Connect A SCIM Provider. Leave the fields on the form as their defaults, then click Next.

3.) Go to portal.azure.com and sign in. Navigate to the Azure Active Directory for which you will be using EnvKey. Most likely this is Default Directory.

4.) Find the Enterprise Application you created in step 1 when configuring SAML SSO and go to it.

5.) Select Provisioning from the sidebar then Get Started.

6.) Change Provisioning Mode to Automatic. A form will appear.

  • Enter the Endpoint Base URL from the EnvKey UI into Tenant URL in Azure.

  • Enter the Authentication Secret from the EnvKey UI into Secret Token in Azure.

  • Save then clickTest Connection.

7.) After a successful connection test, click the Save button again, otherwise you won't be able to finish the remaining steps.

8.) Now edit the Mappings of Provisioning > Automatic:

  • Disable group mapping.
  • Enter a system notification email to be notified of failed user syncing (optional but recommended).
  • Ensure Provisioning status is Enabled
  • Save and exit.

9.) Back in the EnvKey UI, click Done.

10.) Back in Azure, in the sidebar under Manage > Provisioning click either Start Provisioning or Provision on demand. Azure will now begin provisioning users

11.) Now when you invite a new user to EnvKey, you can select this Azure AD SCIM connection as your user directory, and invite from a pool of users that have been synced from Azure AD to EnvKey. And if a user's access is removed in Azure, they will also be removed from your EnvKey organization.

Updated about 2 years ago