4. Change Okta Settings

Connect the Okta app to the OCI IAM confidential app using the domain URL and secret token from an earlier step.

1. In the newly created application page, click the Sign On tab.
2. In Settings, click Edit.
3. Scroll down to Advanced Sign-on Settings.

   Enter the domain URL in Oracle Cloud Infrastructure IAM GUID.

4. Click Save.
5. Near the top of the page, click the Provisioning tab.
6. Click Configure API Integration.
7. Select Enable API Integration.

   
   
   

8. Enter the secret token value you copied earlier in API Token.
9. Click Test API Credentials.

   If you get an error message, check the values that you have entered and try again.

   Okta has successfully connected to the OCI IAM SCIM endpoint when you get the ‘Oracle Cloud Infrastructure IAM was verified successfully!’ message.

10. Click Save.

    The Provisioning to App page opens, where you can create users, update user attributes, and map attributes between OCI IAM and Okta.

11. Under Setting list, Provisioning to App screen, Click Edit.
12. Enable Create Users, Update User Attributes & Deactivate Users. Click Save
13. Scroll down to the Attribute Mappings section.
14. Click Go to Profile Editor; the Attribute section lists OCI IAM Attributes.

    Refer to the User Mapping table below to map user attributes between OCI IAM and Okta, adding any required attributes including the mandatory attributes.

    Table 2-1 User Mapping

    Okta Attribute	OCI User Attribute	External Namespace	Datatype	Mapping Type	Attribute Value	Description	Mandatory Attribute
    login	userName		String	Direct	Map from Okta profile	User name	Yes
    lastName	name.familyName		String	Direct	Map from Okta profile	Last name	Yes
    email	emails[type eq "work"].value		String	Direct	Map from Okta profile	Email address	Yes
    (user.email != null && user.email != '') ? 'work' : ''	emailType		String	Expression	(user.email != null && user.email != '') ? 'work' : ''	Email Type	Yes
    extensionAttributePrimaryWorkLocation	OC_PrimaryWorkLocation	urn:ietf:params:scim:schemas:idcs:extension:custom:User	String	Expression	Same value for all Users. Refer description	Mandatory Single Valued User Attribute. Indicates the user’s primary work location. Primary Work Location can have values <ENTERPRISE_ID>:E for multi chain customers derived from user profile. For customers having only a single chain, the source value can be set to constant <ENTERPRISE_ID>:E for all users.	Yes
    isFederatedUser	isFederatedUser	urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User	Boolean	Expression	True	Enable Federated User flag in Identity Domain.	Yes
    bypassNotification	bypassNotification	urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User	Boolean	Expression	True	The bypass notification flag controls whether an email notification is sent after creating or updating a user account in Identity Domain. bypassNotification to be set to "true" for Federated users. This disables user account activation notification in IAM Identity Domain for the user.	Yes
    firstName	name.givenName		String	Direct	Map from Okta profile	First name	No
    perferredLanguage	preferredLanguage		String	Direct	Map from Okta profile	User's preferred written or spoken language used for localized user interfaces.	No
    displayName	displayName		String	Direct	Map from Okta profile	Display name	No
    title	title		String	Direct	Map from Okta profile	Title	No
    mobilePhone	phoneNumbers[type eq "mobile"].value		String	Direct	Map from Okta profile	User's mobile phone number	No
    employeeNumber	OC_UserEmployeeNo	urn:ietf:params:scim:schemas:idcs:extension:custom:User	String	Direct	Map from Okta profile	Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.	No
    userType	OC_UserType	urn:ietf:params:scim:schemas:idcs:extension:custom:User	String	Direct	Map from Okta profile Possible Values: FULL-TIME EMPLOYEE PART-TIME EMPLOYEE TRAINEE CONTRACTOR CONSULTANT OTHER	Used to identify the organization-to-user relationship.	No
    department	OC_Department	urn:ietf:params:scim:schemas:idcs:extension:custom:User	String	Direct	Map from Okta profile	Specifies the user's department.	No
    primaryPhone	phoneNumbers[type eq "work"].value		String	Direct	Map from Okta profile	The user's work phone number.	No
    extensionAttributeUserOwnerCode	OC_UserOwnerCode	urn:ietf:params:scim:schemas:idcs:extension:custom:User	String	Direct	Map from Okta profile	Unique code (typically, the sales manager's initials) for the owner. For example, oc_ownercode=First_Last_Initial	No
    extensionAttributeHonorificPrefix	name.honorificPrefix		String	Direct	Map from Okta profile	User Initials	No
    extensionAttributeMiddleName	name.middleName		String	Direct	Map from Okta profile	User’s Middle name	No
    extensionAttributeHonorificSuffix	name.honorificSuffix		String	Direct	Map from Okta profile	Suffix	No
    extensionAttributeTimezone	urn:ietf:params:scim:schemas:core:2.0:User:timezone		String	Direct	Map from Okta profile	User's timezone	No
    extensionAttributeLocale	locale		String	Direct	Map from Okta profile	Used to indicate the user's default location for purposes of localizing items such as currency, date and time format, numerical representations, and so on.	No

15. Follow the steps below to add required attributes from those attributes listed in the above user mapping table.
16. Under Attributes, click Add Attributes.
17. In the Add Attribute page, enter the following values from the User Mapping table above:
    • For Data Type, enter the corresponding value from the Data Type column.
    • For Display Name, enter the corresponding value from the OCI User Attribute column.
    • For Variable Name, enter the corresponding value from the OCI User Attribute column.

    Note:

    The external name is automatically populated by the value of the variable name.
18. For External namespace, enter urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.
19. Under Scope, check User personal.

    
    
    

20. Click Save and Add Another attribute.
21. In the Attributes list, click Mapping and choose the tab Okta User to Oracle IAM User Profile.
22. Add mappings referring to the User Mapping table.

    
    
    

23. Save mappings.
24. Return to the OIC Application.
25. Syncing Groups from Okta to Oracle Identity Domain can be done manually or can be automated by selecting the Push Group tab under the OCI IAM application to define a rule.
26. Select the Push Group tab.

    You can manually push the group by entering the group name and selecting the group to be pushed.

    
    
    

27. Enter the group name to push from Okta to OCI IAM Domain.
28. You can also define a rule to automate Group synchronization.