SCIM with Okta
Cyral supports the use of the SCIM protocol to retrieve group information from your Okta directory. While Cyral also supports other ways to retrieve group information from Okta, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, a Snowflake login with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.
Prerequisites
Before you set up the SCIM integration, make sure you have:
A working Okta SSO integration in Cyral.
tip
Cyral recommends that you create a new Okta SSO integration that is not being used in any other Cyral integration in your environment.
When creating the Okta SSO integration, Cyral recommends that you skip the final configuration step, Add users and groups to the Okta app, such that the Okta app has no users or groups assigned to it initially. Later, when you create the Okta SCIM integration with Cyral, you will assign users and groups.
Users who will log in with Cyral must have the following identity attributes stored in their Okta user record:
- first name
- last name
- username
Get configuration values from the Cyral UI
In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find your SAML SSO integration and click the pencil icon to edit.
Select Enable service account resolution. The Configure Your SCIM Integration panel appears.
Note the value shown in the field, SCIM connector base URL. In the next procedure, you or your SAML administrator will copy this value into SAML. Keep this tab open, or store this value securely until you need it. This value contains the OAuth bearer token, which must be kept secure.
note
The information shown here includes:
- SCIM connector base URL: The base URL for the SCIM integration endpoints.
- Supported provisioning actions: The provisioning actions your SAML app
will take for this integration. In our case, we want the SAML app to:
- Push New Users to Cyral
- Push Profile Updates to Cyral
- Push Groups to Cyral
- Authentication Mode: The method used by SAML to authenticate with Cyral. This will be an OAuth HTTP bearer token.
- Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance. :::
Click Save.
Configure SCIM in Okta
Perform the following steps in your Okta dashboard.
Set up and test SCIM
Add SCIM provisioning to your existing Okta app used for Cyral SSO (mentioned in the procedure above):
In a new browser tab, open the Okta documentation page, Add SCIM provisioning to app integrations.
note
In the guide linked above, you or someone on your team will have already completed Task 1 (Create an SSO integration that supports SCIM) when setting up the Okta SSO app for Cyral.
Use the values described in Step 3 of the Get configuration values from the Cyral UI to configure your SCIM integration. For the Unique identifier field for users field, you need to use the SCIM attribute defined by Okta to uniquely identity SCIM users. In this case, we will write userName.
Click Test Connector Configuration. The UI should look something like this:
tip
Errors here may indicate a failure to authenticate with the Cyral API. In this case, double check your configuration information. If your connection information looks correct, regenerate the HTTP Bearer token by clicking Save again in the Cyral in the Configure Your SCIM Integration panel. Add the new HTTP bearer token to your configuration in Okta.
Click Close and Save.
Enable user provisioning
The following steps will start the provisioning process to copy Okta users and groups to Cyral.
tip
When setting up a new SCIM integration, Cyral recommends first testing the steps below with a limited set of users and groups, before you attempt to import all users.
In the Okta UI, in your SSO app's Provisioning tab, a new menu item, To App will appear in the navigation menu on the left. Click To App ➡️ Edit.
Enable the following:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save
On the same page, scroll down to the Attribute Mappings section. Make sure first name, last name, username, and email are mapped. Remove any other attributes that you do not wish to share.
caution
The integration requires that you include Attribute Mappings for:
- first name
- last name
- username
- email :::
When finished with the desired attribute mappings, select Force Sync.
Navigate from the Provisioning tab to the Assignments tab.
Assign appropriate users and groups to the application
note
If this is an SSO integration that already has Users provisioned to it, you will see the error, "User was assigned this application before Provisioning was enabled..."
If this happens, click the Provision User button.
If all users were provisioned via groups (see the column Type), this will automatically provision all users.
Open View System Logs in new tab to verify that users were properly provisioned.
Push SSO groups to Cyral
In order to take full advantage of Cyral’s identity attribution capabilities, the groups for all SSO users must be pushed to Cyral.
Prerequisite
Before you can push a group from Okta to Cyral, all users in that group must have been provisioned in the Okta SSO app that you're using for SCIM. This is required by Okta. To do this:
Assign the group directly to your SSO app in Okta using the Assignments tab
Check that all users were provisioned correctly.
Procedure
In the Okta UI, in your SSO app, click on the Push Groups tab.
Select Push Groups ➡️ By name.
note
Pushing By rule is also supported, but Cyral recommends that you first push a small group By name as a test.
Type in the name of the group you wish to push and select it.
tip
If the only group assigned to the app under the Assignments tab is the default Okta group Everyone (containing all users in the Okta instance), no groups will should up. You must first assign to the application one group that is NOT the Everyone group.
The Okta UI will let you create a new group in the Cyral SCIM application, or link it to an existing group. Since there will be no existing groups in the Cyral SCIM application, choose Create Group.
The Push status will change from Pending to Active once the group has been provisioned successfully.
Once again, check the System Logs by clicking View Logs to verify that the configuration was successful.
Next step
With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: