---
title: "User provisioning setup with Okta"
slug: "user-provisioning-setup-with-okta"
description: "This guide teaches you how to create and configure SCIM integrations.Make sure you have enough NordLayer member licenses for all Azure AD users."
updated: 2024-07-03T13:04:53Z
published: 2024-07-03T13:04:53Z
canonical: "help.nordlayer.com/user-provisioning-setup-with-okta"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User provisioning setup with Okta

This guide teaches you how to create and configure SCIM integrations.

SCIM provisioning with NordLayer offers the ability to:

- **Create users**. SCIM lets you easily add users to your system, ensuring they can get to work right away.
- **Update user attributes**. Tweak user details on the fly, ensuring their digital identity matches across all environments.
- **Deactivate users**. Turn off user access in a snap, keeping your system secure.
- **Group push**. Automatically place users into groups based on their role or department, ensuring they can access the necessary resources.

## Preparing for integration

Before diving into the setup, verify that your NordLayer account has sufficient member licenses to accommodate all users you plan to provision via Okta. This preparation step is crucial to avoid any hiccups during the provisioning process.

## User provisioning with Okta application

Before configuring user provisioning with an Okta application, ensure you have an operational [Okta application](https://help.nordlayer.com/v1/docs/en/okta-3rd-party-authentication#set-up-nordlayer-sso-using-okta-application) first.

To configure SCIM integration in NordLayer:

1. Navigate to the **NordLayer Control Panel**

2. Select **Settings** from the left sidebar

3. Under **Access management**, enable SCIM provisioning by toggling the switch for Okta

4. Note the **Secret Token** provided for later use and click **Continue**

Next, you’ll have to configure SCIM integration on Okta:

1. Sign into your **Okta admin portal**

2. Find your NordLayer application under the **Applications** tab

3. In the **Sign On** tab, click **Edit** on **Settings**

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202024-04-12%20at%2011.12.15%20(1)(1).png)

4. Set the **Application username format** to **Email**.

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202024-04-12%20at%2011.12.34%20(1)(1).png)

5. Go to the **Provisioning** tab, then select **Configure API Integration**

6. **Enable** the integration, inputting the **Secret Token** from NordLayer when prompted

7. Use **Test API Credentials** to verify the connection. Troubleshoot as needed and **Save** your settings

8. In the newly opened window, click **Edit** under **Provisioning to App** and enable all three functionalities: **Create Users**, **Update User Attributes**, and **Deactivate Users**. Then, click **Save**.

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202024-04-12%20at%2011.13.03%20(1).png)

9. Assign the appropriate users and groups to the SCIM integration under the **Assignments** tab. To add an entire **Okta Group** as a **Team** in NordLayer, do so in the **Push Groups** tab.

Important notes

- Ensure your NordLayer organization has enough licenses for all users you plan to provision via Okta
- Use the activity log in NordLayer to verify SCIM activation
- Check Okta's provisioning logs to confirm successful user and group provisioning

## Manually set up Okta application for user provisioning

1. Sign up for an [Okta Developer account](https://developer.okta.com/signup/) and navigate to your **Admin Console**. Under **Applications**, select **Applications**, click on **Browse App Catalog**, and search for the **SCIM 2.0 Test App** (OAuth Bearer Token)

![Screenshot 2022-06-21 at 10.20.50.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202022-06-21%20at%2010.20.50.png)

2. Name your application and adjust visibility and auto-login settings as needed

![Screenshot 2022-06-21 at 10.20.55.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202022%2006%2021%20at%2010.20.55.png)

3. Choose **SAML** as your sign-in method to proceed with the configuration on the **Sign-On Options** page and click **Done**

**![User Provisioning setup with Okta](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/User-Provisioning-setup-with-Okta.webp)**

4. Under the **Provisioning** tab, select **Configure API Integration** and tick the **Enable the API integration** checkbox

5. Head to the **NordLayer Control Panel** toggle the switch on, and copy the **Tenant URL** and **Secret Token** provided.

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Okta%20Modal(1).jpg)

NoteThe Secret Token generated for Okta provisioning does not have an expiration date. You do not need to regenerate it periodically.

6. Paste the **Tenant URL** and **Secret Token** into Okta for your SCIM server and click **Continue** in the **NordLayer Control Panel**

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Okta%20highlighted(3).jpg)

7. Test the API credentials and save your settings to complete the API integration

![User Provisioning setup with Okta SCIM](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/User-Provisioning-setup-with-Okta-SCIM.webp)

### Edit Your Settings

To make changes, as shown in the screenshot below, click **Edit**:

![User Provisioning setup with Okta SCIM NordLayer](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/User-Provisioning-setup-with-Okta-SCIM-NordLayer.webp)

For additional details on Okta provisioning, click [here](https://developer.okta.com/docs/guides/scim-provisioning-integration-connect/main/#to-okta).

In the **Assignments** tab, ensure the correct users and groups within your organization are linked to the app integration.

If you aim to sync an entire Okta Group to NordLayer as a team, remember to add it under the **Push Groups** tab as well:

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Push%20Groups.png)

### User provisioning via Okta in the NordLayer Control Panel

Here’s a snapshot of when User Provisioning with Okta is enabled. Make sure to activate Okta as a login method as well:

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Okta%20highlighted(2).jpg)

Important noteBe aware that disabling this feature or updating new credentials in Okta settings will cancel the SCIM integration with your NordLayer Control Panel.

After activating this feature and provisioning at least one member or team, you'll get a notification. This informs you that edits to provisioned members or teams can only be done in their origin (Okta, in this context). It means they become read-only in the NordLayer Control Panel, blocking any edits or deletions:

![Screenshot 2022-06-21 at 10.21.46.png](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Screenshot%202022-06-21%20at%2010.21.46.png)

Moreover, provisioned members and teams will display the Okta icon on their avatars, distinguishing them from those created manually:

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Members%20okta%20icon(1).jpg)

Even with this feature active, you can still add members and form teams manually, allowing both provisioned and manually created members and teams within your organization.

Note that **manually created members cannot join provisioned teams**. Thus, when inviting new members (via the **Invite new member** button in the member list), the **Assign to team** (optional) will only show manually created teams for selection.

Conversely, you can add provisioned members to manually created teams through the Create team option in the team list or the **Add a member** option on a team’s page.

If this feature is turned off and you have provisioned members, these members will revert to being editable. However, the Okta icon will remain an identifier for the avatars.

**Remember**:

Editing provisioned information, like a team's name, and then reactivating provisioning will lead Okta to create a duplicate entry. This applies to both teams and members, especially if members change their email addresses.

For a log of activities such as toggling this feature on or off and other actions initiated by SCIM Provisioning, check under **Activity** and select **Actions**:

![](https://cdn.document360.io/fc1049cd-8f71-4b89-b9b8-dbca9fdcdd16/Images/Documentation/Activity%20actions(4).jpg)

**Note**: In case you have any questions or are experiencing any issues, please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).