Provision users and groups with Okta (SCIM)
System for Cross-Domain Identity Management (SCIM) is an open standard protocol for automated user provisioning. In Harness, automated provisioning involves creating users and user groups, assigning users to groups, and managing some user attributes (such as names and email addresses). In addition to creating users and groups, automated provisioning also edits and removes users and user groups as and when required.
If Okta is your identity provider, you can efficiently provision and manage users in your Harness account. Using Okta's SCIM integration with Harness enables Okta to serve as a single identity manager, to add and remove users, and to provision user groups. This is especially efficient for managing users at scale.
This topic describes how to use an Okta SCIM integration for automated provisioning in Harness. To configure this integration, you must take steps in both Okta and Harness.
Requirements
You need an understanding of:
- System for Cross-domain Identity Management (SCIM).
- Harness' key concepts.
- RBAC in Harness.
You must be an Administrator in your Okta account, and you must be an Account Admin in Harness.
You need a Harness API key and unexpired token that has all Users and User Groups permissions. API keys inherit permissions from the user they are associated with. If you use an API key for a service account, make sure the service account has all Users and User Groups permissions.
Create an Okta app integration
To enable automated provisioning, you must add a Harness app to your Okta administrator account.
-
Log in to your Okta administrator account, select Applications, and select Create App Integration.
-
On the Create a new app integration page, select SAML 2.0 for the Sign-on Method, and then select Next.
-
In the General Settings, enter a name in the Application label field, and then select Next.
-
In the SAML settings, enter your Harness Single sign on URL.
The single sign on URL format is:
https://app.harness.io/gateway/api/users/saml-login?accountId=YOUR_ACCOUNT_ID
Replace
YOUR_ACCOUNT_ID
with your Harness account ID. The URL depends on the Harness production cluster you use: Prod1:https://app.harness.io
, Prod2:https://app.harness.io/gratis
, or Prod3:https://app3.harness.io
. -
For Audience URI (SP Entity ID), enter
app.harness.io
. -
For Attribute Statements (optional), enter a name in the Name field, select Basic for the Name Format, and set the Value to user.email.
-
For Group Attribute Statements (optional), enter a name in the Name field, select Basic for the Name format (optional), select an appropriate Filter, and enter the appropriate corresponding filter value.
-
Select Next.
-
In the Feedback options, select the relevant option, and then select Finish.
- In your newly created app, select the General tab, and then under App Settings, select Edit.
- Select Enable SCIM provisioning, and then select Save.
Authorize the Okta integration
Authorize your Okta app with Harness.
-
In your Okta administrator account, go to Applications, and then select Applications.
-
Find your Harness app, select Provisioning, and then select Integration.
-
Select Edit.
-
For SCIM connector base URL, enter the base URL for your API endpoint.
The base URL format is:
https://app.harness.io/gateway/ng/api/scim/account/YOUR_ACCOUNT_ID
Replace
YOUR_ACCOUNT_ID
with your Harness account ID. -
In Unique identifier field for users, enter
userName
. -
Select the Supported provisioning actions:
- Import new users and profile updates
- Push new users
- Push profile updates
- Push groups
-
For Authentication Mode, select HTTP Header, and enter your Harness API token in Bearer.
For instructions on creating Harness API keys and tokens, go to Manage API keys.
-
Select Test Connection.
-
If the test succeeds, select Save.
-
Go to the Provisioning tab, and select the To App settings.
-
Enable Create Users, Update User Attributes, and Deactivate Users.
- Select Save.