User provisioning setup with Okta
  • 4 Minutes to read

    User provisioning setup with Okta

      Article summary

      This guide teaches you how to create and configure SCIM integrations.

      SCIM provisioning with NordLayer offers the ability to:

      • Create users. SCIM lets you easily add users to your system, ensuring they can get to work right away.
      • Update user attributes. Tweak user details on the fly, ensuring their digital identity matches across all environments.
      • Deactivate users. Turn off user access in a snap, keeping your system secure.
      • Group push. Automatically place users into groups based on their role or department, ensuring they can access the necessary resources.

      Preparing for integration

      Before diving into the setup, verify that your NordLayer account has sufficient member licenses to accommodate all users you plan to provision via Okta. This preparation step is crucial to avoid any hiccups during the provisioning process.

      User provisioning with Okta application

      Before configuring user provisioning with an Okta application, ensure you have an operational Okta application first.

      To configure SCIM integration in NordLayer:

      1. Navigate to the NordLayer Control Panel

      2. Select Settings from the left sidebar

      3. Under Access management, enable SCIM provisioning by toggling the switch for Okta

      4. Note the Secret Token provided for later use and click Continue

      Next, you’ll have to configure SCIM integration on Okta:

      1. Sign into your Okta admin portal

      2. Find your NordLayer application under the Applications tab

      3. In the Sign On tab, click Edit on Settings

      4. Set the Application username format to Email.

      5. Go to the Provisioning tab, then select Configure API Integration

      6. Enable the integration, inputting the Secret Token from NordLayer when prompted

      7. Use Test API Credentials to verify the connection. Troubleshoot as needed and Save your settings

      8. In the newly opened window, click Edit under Provisioning to App and enable all three functionalities: Create Users, Update User Attributes, and Deactivate Users. Then, click Save

      9. Assign the appropriate users and groups to the SCIM integration under the Assignments tab. To add an entire Okta Group as a Team in NordLayer, do so in the Push Groups tab.

      Important notes
      • Ensure your NordLayer organization has enough licenses for all users you plan to provision via Okta
      • Use the activity log in NordLayer to verify SCIM activation
      • Check Okta's provisioning logs to confirm successful user and group provisioning

      Manually set up Okta application for user provisioning

      1. Sign up for an Okta Developer account and navigate to your Admin Console. Under Applications, select Applications, click on Browse App Catalog, and search for the SCIM 2.0 Test App (OAuth Bearer Token)

      Screenshot 2022-06-21 at 10.20.50.png

      2. Name your application and adjust visibility and auto-login settings as needed

      Screenshot 2022-06-21 at 10.20.55.png

      3. Choose SAML as your sign-in method to proceed with the configuration on the Sign-On Options page and click Done

      User Provisioning setup with Okta

      4. Under the Provisioning tab, select Configure API Integration and tick the Enable the API integration checkbox

      5. Head to the NordLayer Control Panel toggle the switch on, and copy the Tenant URL and Secret Token provided.

      The Secret Token generated for Okta provisioning does not have an expiration date. You do not need to regenerate it periodically.

      6. Paste the Tenant URL and Secret Token into Okta for your SCIM server and click Continue in the NordLayer Control Panel

      7. Test the API credentials and save your settings to complete the API integration

      User Provisioning setup with Okta SCIM

      Edit Your Settings

      To make changes, as shown in the screenshot below, click Edit:

      User Provisioning setup with Okta SCIM NordLayer

      For additional details on Okta provisioning, click here.

      In the Assignments tab, ensure the correct users and groups within your organization are linked to the app integration.

      If you aim to sync an entire Okta Group to NordLayer as a team, remember to add it under the Push Groups tab as well:

      User provisioning via Okta in the NordLayer Control Panel

      Here’s a snapshot of when User Provisioning with Okta is enabled. Make sure to activate Okta as a login method as well:

      Important note
      Be aware that disabling this feature or updating new credentials in Okta settings will cancel the SCIM integration with your NordLayer Control Panel.

      After activating this feature and provisioning at least one member or team, you'll get a notification. This informs you that edits to provisioned members or teams can only be done in their origin (Okta, in this context). It means they become read-only in the NordLayer Control Panel, blocking any edits or deletions:

      Screenshot 2022-06-21 at 10.21.46.png

      Moreover, provisioned members and teams will display the Okta icon on their avatars, distinguishing them from those created manually:

      Even with this feature active, you can still add members and form teams manually, allowing both provisioned and manually created members and teams within your organization.

      Note that manually created members cannot join provisioned teams. Thus, when inviting new members (via the Invite new member button in the member list), the Assign to team (optional) will only show manually created teams for selection.

      Conversely, you can add provisioned members to manually created teams through the Create team option in the team list or the Add a member option on a team’s page.

      If this feature is turned off and you have provisioned members, these members will revert to being editable. However, the Okta icon will remain an identifier for the avatars.


      Editing provisioned information, like a team's name, and then reactivating provisioning will lead Okta to create a duplicate entry. This applies to both teams and members, especially if members change their email addresses.

      For a log of activities such as toggling this feature on or off and other actions initiated by SCIM Provisioning, check under Activity and select Actions:

      Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.

      Was this article helpful?