4. Change Okta Settings
Connect the Okta app to the OCI IAM confidential app using the domain URL and secret token from an earlier step.
- In the newly created application page, click the Sign On tab.
- In Settings, click Edit.
- Scroll down to Advanced Sign-on Settings.
Enter the domain URL in Oracle Cloud Infrastructure IAM GUID.
- Click Save.
- Near the top of the page, click the Provisioning tab.
- Click Configure API Integration.
- Select Enable API Integration.
- Enter the secret token value you copied earlier in API Token.
- Click Test API Credentials.
If you get an error message, check the values that you have entered and try again.
Okta has successfully connected to the OCI IAM SCIM endpoint when you get the ‘Oracle Cloud Infrastructure IAM was verified successfully!’ message.
- Click Save.
The Provisioning to App page opens, where you can create users, update user attributes, and map attributes between OCI IAM and Okta.
- Under Setting list, Provisioning to App screen, Click Edit.
- Enable Create Users, Update User Attributes & Deactivate Users. Click Save
- Scroll down to the Attribute Mappings section.
- Click Go to Profile Editor; the Attribute section lists OCI IAM
Attributes.
Refer to the User Mapping table below to map user attributes between OCI IAM and Okta, adding any required attributes including the mandatory attributes.
Table 2-1 User Mapping
Okta Attribute OCI User Attribute External Namespace Datatype Mapping Type Attribute Value Description Mandatory Attribute login
userName
String Direct
Map from Okta profile
User name
Yes
lastName
name.familyName
String Direct
Map from Okta profile
Last name
Yes
email
emails[type eq "work"].value
String Direct
Map from Okta profile
Email address
Yes
(user.email != null && user.email != '') ? 'work' : ''
emailType
String Expression
(user.email != null && user.email != '') ? 'work' : ''
Email Type
Yes
extensionAttributePrimaryWorkLocation
OC_PrimaryWorkLocation
urn:ietf:params:scim:schemas:idcs:extension:custom:User
String Expression
Same value for all Users. Refer description
Mandatory Single Valued User Attribute. Indicates the user’s primary work location. Primary Work Location can have values <ENTERPRISE_ID>:E for multi chain customers derived from user profile. For customers having only a single chain, the source value can be set to constant <ENTERPRISE_ID>:E for all users.
Yes
isFederatedUser
isFederatedUser
urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User
Boolean Expression
True
Enable Federated User flag in Identity Domain.
Yes
bypassNotification
bypassNotification
urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User
Boolean Expression
True
The bypass notification flag controls whether an email notification is sent after creating or updating a user account in Identity Domain. bypassNotification to be set to "true" for Federated users. This disables user account activation notification in IAM Identity Domain for the user.
Yes
firstName
name.givenName
String Direct
Map from Okta profile
First name
No
perferredLanguage
preferredLanguage
String Direct
Map from Okta profile
User's preferred written or spoken language used for localized user interfaces.
No
displayName
displayName
String Direct
Map from Okta profile
Display name
No
title
title
String Direct
Map from Okta profile
Title
No
mobilePhone
phoneNumbers[type eq "mobile"].value
String Direct
Map from Okta profile
User's mobile phone number
No
employeeNumber
OC_UserEmployeeNo
urn:ietf:params:scim:schemas:idcs:extension:custom:User
String Direct
Map from Okta profile
Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.
No
userType
OC_UserType
urn:ietf:params:scim:schemas:idcs:extension:custom:User
String Direct
Map from Okta profile
Possible Values:
FULL-TIME EMPLOYEE
PART-TIME EMPLOYEE
TRAINEE
CONTRACTOR
CONSULTANT
OTHER
Used to identify the organization-to-user relationship.
No
department
OC_Department
urn:ietf:params:scim:schemas:idcs:extension:custom:User
String Direct
Map from Okta profile
Specifies the user's department.
No
primaryPhone
phoneNumbers[type eq "work"].value
String Direct
Map from Okta profile
The user's work phone number.
No
extensionAttributeUserOwnerCode
OC_UserOwnerCode
urn:ietf:params:scim:schemas:idcs:extension:custom:User
String Direct
Map from Okta profile
Unique code (typically, the sales manager's initials) for the owner. For example, oc_ownercode=First_Last_Initial
No
extensionAttributeHonorificPrefix
name.honorificPrefix
String Direct
Map from Okta profile
User Initials
No
extensionAttributeMiddleName
name.middleName
String Direct
Map from Okta profile
User’s Middle name
No
extensionAttributeHonorificSuffix
name.honorificSuffix
String Direct
Map from Okta profile
Suffix
No
extensionAttributeTimezone
urn:ietf:params:scim:schemas:core:2.0:User:timezone
String Direct
Map from Okta profile
User's timezone
No
extensionAttributeLocale
locale
String Direct
Map from Okta profile
Used to indicate the user's default location for purposes of localizing items such as currency, date and time format, numerical representations, and so on.
No
- Follow the steps below to add required attributes from those attributes listed in the above user mapping table.
- Under Attributes, click Add Attributes.
- In the Add Attribute page, enter the following values from the User Mapping table above:
- For Data Type, enter the corresponding value from the Data Type column.
- For Display Name, enter the corresponding value from the OCI User Attribute column.
- For Variable Name, enter the corresponding value from the OCI User Attribute column.
Note:
The external name is automatically populated by the value of the variable name. - For External namespace, enter urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.
- Under Scope, check User personal.
- Click Save and Add Another attribute.
- In the Attributes list, click Mapping and choose the tab Okta User to Oracle IAM User Profile.
- Add mappings referring to the User Mapping table.
- Save mappings.
- Return to the OIC Application.
- Syncing Groups from Okta to Oracle Identity Domain can be done manually or can be automated by selecting the Push Group tab under the OCI IAM application to define a rule.
- Select the Push Group tab.
You can manually push the group by entering the group name and selecting the group to be pushed.
- Enter the group name to push from Okta to OCI IAM Domain.
- You can also define a rule to automate Group synchronization.