User Provisioning setup with Okta
  • 3 Minutes to read

    User Provisioning setup with Okta


      Article Summary

      Connect your SCIM API service to Okta

      This guide teaches you how to create and configure SCIM integrations.

      Getting connected

      1. Sign up for an Okta Developer account;

      2. Click the link in the signup email to open your Admin Console;

      3. Select Applications > Applications;

      4. Click Browse App Catalog;

      5. Search for SCIM 2.0 Test App (OAuth Bearer Token);

      Screenshot 2022-06-21 at 10.20.50.png

      1. Click Add Integration;

      2. On the General Settings page: Set the name of your application, choose if it’s hidden from general and mobile users, and choose if users are automatically signed in from the landing page. Click Next;

      Screenshot 2022-06-21 at 10.20.55.png

      1. Choose the sign-in method for your integration on the Sign-On Options page;

      2. Select SAML;

      User Provisioning setup with Okta

      1. Click Done to create the integration;

      2. Click the Provisioning tab, then in the main panel click Configure API Integration. Select the Enable API Integration checkbox;

      3. Go to the NordLayer Control Panel;


      1. Turn the toggle switch on and copy the Tenant URL and Secret Token values;

      Note: The Secret Token generated for Okta provisioning does not have an expiration date. You do not need to regenerate it periodically.
      1. Paste the Tenant URL and Secret Token values in Okta for your SCIM server. Click Continue in the NordLayer Control Panel;

      1. Test the credentials by clicking Test API Credentials, which attempts to connect to Okta. If there’s an error, check the credentials entered above.
        Click Save to complete the API integration;

      User Provisioning setup with Okta SCIM

      1. On the Assignments tab, ensure that the right users and groups in your organization are assigned to the app integration.

      2.  Additionally, if you would like to push a whole Okta Group to NordLayer as a Team, make sure it is also added in the Push Groups tab.

      Push Groups

      To App

      Click Edit to make changes as represented in the screenshot below:
      User Provisioning setup with Okta SCIM NordLayer

      More information about Okta provisioning can be found here.

      User Provisioning with Okta in NordLayer Control Panel

      This is how it looks when User Provisioning with Okta is enabled. Notice the important message reminding you to enable Okta as a login method.

      Note: Be aware that you’ll lose the integration between SCIM and your NordLayer Control Panel if the feature is disabled or if you add new credentials to Okta settings.

      Once you’ve enabled the feature and provisioned at least one member or team, you’ll receive a message indicating that you can only edit provisioned members or teams in their source (Okta in this case). It means provisioned members and teams become read-only; you won’t be able to edit or delete them in the NordLayer Control Panel.

      Screenshot 2022-06-21 at 10.21.46.png

      Also, provisioned members and teams will have the Okta icons on their avatar to separate them from manually created members and teams.


      You can still invite members and create teams manually when this feature is enabled. It means there’s the possibility to have provisioned and manually created members and teams in your organization.

      • Manually created members cannot be added to provisioned teams. It means when you’re inviting new members (via the “Invite new member” button in the member list), teams listed under “Assign to team (optional)” are automatically filtered to only display manually created teams.
      • Provisioned members can be added to manually created teams (“Create team” in teams list or “Add a member” in inner team page).

      If this feature is disabled and you have provisioned members, these members will become editable. The Okta icon will still be seen on the member’s or team’s avatars to separate them.

      Note: If you edited provisioned info, i.e., a team’s name, and you turn on Provisioning again, be aware Okta won’t be able to find the team and will create a new one. The same condition will apply to members if they change their email addresses.

      See logged actions like turning on or off the feature and any other actions triggered by SCIM Provisioning under Activity > Actions:

      Note: In case you have any questions or are experiencing any issues, please feel free to contact our 24/7 customer support team.


      Was this article helpful?