Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
About SCIM Directory Integration with Okta
SCIM Directory Integration with Okta in Iru Endpoint allows you to set up SCIM-based user directory synchronization between Okta and Iru Endpoint, enabling automatic user and group provisioning and deprovisioning.
How It Works
The SCIM integration creates a secure connection between Okta and Iru Endpoint, enabling automatic synchronization of user and group data. When users or groups are added, modified, or removed in Okta, these changes are automatically reflected in Iru Endpoint through the SCIM protocol.
Prerequisites
- Ensure you’re using Okta’s Advanced Lifecycle Management plan, which supports built-in, standards-based provisioning for SCIM.
- Be sure to review the supported user and group attributes listed in the SCIM Directory Integration article.
Get the SCIM Token and API URL
Complete these steps in Iru Endpoint first. You will need the SCIM access token and API URL when configuring Okta. For full details, see the SCIM Directory Integration article.Open Integrations
In Iru Endpoint, click your name at the bottom of the left navigation, then select Integrations. Discover Integrations
Click Discover integrations in the upper-right of the Integrations page.
Add SCIM Protocol
On the SCIM protocol tile, click Add and configure. Start Configuration
Click Get started.
Name the Integration
Enter a unique name for the SCIM integration.
Generate Authentication Token
Click Generate token. The SCIM integration uses an HTTP authorization header with a Bearer Token. Copy the Token
Click Copy token. The token will not be visible again after you click Done. Store it securely, as you will need it in the Okta tab.
Confirm and Complete Setup
Confirm that you have copied the token by checking the box, then click Done. You will return to the Integrations page. Access Integration Details
Click the ellipsis on the SCIM directory integration you created.
Copy API URL
Copy the SCIM API URL (e.g. https://subdomain.api.iru.com/api/v1/scim). Your identity provider will require this. The URL displayed in your tenant may still show the api.kandji.io domain. The api.kandji.io version of the SCIM API URL will also work for this purpose.
Switch to Okta Tab
Keep the token and API URL available, then switch to the Okta tab to create and configure the SCIM app integration.
Complete the Iru Endpoint tab first to obtain the SCIM token and API URL. You will enter these in the steps below.
Creating the SCIM Integration in Okta
The Iru Endpoint application available in the Okta Integration Network (OIN) cannot be provisioned for SCIM. A new Application Integration must be created to leverage SCIM. This new app integration will not interfere with any existing Okta SSO integration leveraging the OIN Iru Endpoint application.
Access Okta Tenant
Log in to your Okta admin console at login.okta.com.
Navigate to Applications
Once logged in, in the left-hand navigation, expand the Applications section and choose Applications.
Create App Integration
Click Create App Integration. Select Application Type
Select SAML 2.0 as the application type and click Next. Configure General Settings
In General Settings, give the app a name and check the box in the App visibility section. Then click Next. Configure SAML Settings
In SAML Settings, enter a placeholder URL in the Single sign-on URL and Audience URI (SP Entity ID) fields. Do not change any other settings. Continue Configuration
Click Next.
Complete Setup
In Help Okta Support understand how you configured this application, select the checkbox for This is an internal app that we have created, and click Finish. Since we will not be using this application integration for SSO, the URLs do not need to be valid; however, you must enter URLs in these fields in order to proceed. If you decide to enable SAML SSO in Iru Endpoint, you can use this same app to do so.
Configuring SCIM Settings
Access General Tab
In the Okta SCIM app you just created, navigate to the General tab.
Edit Settings
In the Settings section, click Edit.
Select SCIM Provisioning
Select SCIM in the Provisioning setting.
Save General Settings
Do not modify any other settings, and click Save. Access Provisioning Tab
In the Provisioning tab, click Edit in the Integration section. Configure SCIM API URL
For SCIM connector base URL, enter the SCIM API URL you copied from the Iru Endpoint tab (e.g. https://subdomain.api.iru.com/api/v1/scim). The api.kandji.io version of the SCIM API URL will also work for this purpose.
Set User Identifier
For Unique identifier field for users, enter userName.
Select Provisioning Actions
For Supported provisioning actions, select Push New Users, Push Profile Updates, and Push Groups.
Configure Authentication
For Authentication Mode, select HTTP Header.
Enter Authorization Token
For Authorization, enter the Bearer Token you obtained in the Iru Endpoint tab.
Test Configuration
Click Test Connector Configuration to test the integration. Verify Test Results
In the list of detected features, confirm that only the following items display a checkmark to indicate success:
- Create Users
- Update User Attributes
- Push Groups
Save Integration Settings
Click Save.
Configure App Provisioning
While still on the Provisioning tab, go to the To App section and click Edit. Enable User Operations
In the Provisioning to App section, enable Create Users, Update User Attributes, and Deactivate Users. Save App Settings
Click Save.
Configure Attribute Mappings
(optional) In the Attribute Mappings, edit the user attributes to send to Iru Endpoint. Iru Endpoint will only store and use the attributes mentioned in the SCIM Directory Integration article. Assigning Users to Iru Endpoint
In Okta, the same group cannot be used on both the Assignments tab and the Push Groups tab. To avoid that conflict, create one assignment group for SCIM app access (for example, iru_endpoint_users) and keep it in sync with the users in your pushed groups. Then assign that assignment group to the SCIM app.This is one example of assigning users to Iru Endpoint through Okta SCIM.
Create the assignment group
Navigate to Groups
In a new browser tab, navigate to Directory > Groups and click Add Group.
Create User Group
Give the group a meaningful name like iru_endpoint_users and click Save.
Add members with a group rule
Use this when people in your push groups (for example, Sales and Engineering) should automatically become members of iru_endpoint_users. If you follow these steps, you do not need to bulk-add those users by hand.Open Group Rules
Go to Directory > Groups > Rules and click Add Rule. Name the rule
Enter a rule name (for example, Update iru_endpoint_users group membership).
Configure group membership condition
Under IF, select Use basic condition and Group membership, then set includes any of the following and choose the groups you plan to push (for example, Sales and Engineering).
Assign target group
Under Then Assign to, select iru_endpoint_users, then click Save. Activate the rule
Back on the Rules page, open Actions for the new rule and click Activate. Add members manually
Use this when you are not using a group rule, for example, to add test users before push groups and rules are in place, or for people who must be in iru_endpoint_users but are not in any pushed group yet.Add users to the assignment group
Search for iru_endpoint_users and add the users who should have the SCIM app.
Assign the group to the SCIM app
Return to SCIM App
Navigate back to the browser tab where the Okta SCIM app is open.
Access Assignments
Go to the Assignments tab, click Assign > Assign to Groups.
Assign Group
Search for the newly created group and click Assign > Save and Go Back.
Confirm Assignment
Confirm that the group was assigned and click Done. The group should now appear in the Assignments tab’s Groups section.
Refresh if Needed
If the group does not display, try refreshing the browser tab.
iru_endpoint_users are provisioned to Iru Endpoint and appear in the Users module. To sync groups for conditional logic in Blueprints, continue with the next section.Pushing Groups to Iru Endpoint
In this section, learn how to push user groups to Iru Endpoint.When planning to push Okta groups to Iru Endpoint for use with conditional logic in Blueprints, for each group that you would like to push, add it to the Push Groups tab in the SCIM app.Per this Okta article, groups used to assign users in the Assignment tab cannot be used in the Push Groups tab. Okta recommends creating additional groups containing the same users and adding the new groups to the Push Groups tab for consistent group membership. Add groups on the Push Groups tab
On the SCIM app, add every Okta group that should appear in Iru Endpoint.Access Push Groups
Open the Push Groups tab, click Push Groups, then Find groups by name (or Find groups by rule).
Select Group
Search for the group and select it.
Configure Group Creation
Select Create Group.
Save and Add Another
Click Save & Add Another.
Add Additional Groups
Add any other groups to push to Iru Endpoint.
Pushing Group Updates
User and group syncing is one-way, meaning the SCIM app sends user and group data to Iru Endpoint only when there is new or updated data. For this reason, a “Sync Now” option is not needed in the Iru Endpoint Web App.
- If you add users to the group assigned to the SCIM app in Okta, be sure to also update the groups you have added as Push Groups.
- Updates should be seen in Iru Endpoint fairly quickly; to push group updates immediately, use Push Now on the Push Groups tab in Okta. See the Okta article.
Deleting Pushed Groups
Use the following steps to stop pushing group updates or optionally delete a pushed group from Iru Endpoint.Access Push Groups Tab
Go to the Push Groups tab for the app in Okta.
Unlink Push Group
In the Push Status column, select Unlink push group.
Configure Deletion
Select Delete the group in the target app (recommended). This removes the group in Iru Endpoint but does not delete user accounts. User accounts stay tied to the assignment group on the Provisioning tab.
Confirm Unlink
Click Unlink.
