Provision Okta with SCIM

This topic describes how to provision the Okta application using System for Cross-domain Identity Management (SCIM) provisioning.

Configure CyberArk Identity for SCIM provisioning

This section describes how to configure CyberArk Identity for provisioning an external IdP in the Identity Administration portal.

Step 1: Create a service user

The service user acts on behalf of the external IdP when information is sent to CyberArk Identity.

  1. Go to Core Services > Users, then click Add.

  2. Complete the Login name, Display name, and Password fields.

  3. Under Status, select Is OAuth confidential client.

    This automatically selects Password never expires and Is service user.

  4. Save the user.

Step 2: Add a role for the service user

The role is used to give the service user the required administrative rights for provisioning users.

  1. Go to Core Services > Roles, then click Add Role.

  2. Add a suitable name for the role, then go to the Administrative Rights tab and add the following administrative rights:

    • User Management

    • Role Management

  3. Add the service user created in the previous step as a member of this role, then save the role.

Step 3: Create an OAuth2 Client App

The OAuth2 Client App provides the bearer token to access the SCIM APIs.

  1. Go to Apps & Widgets > Web Apps, then click Add Web Apps.

  2. On the Custom tab, click Add next to OAuth2 Client.

  3. On the Settings tab of the OAuth2 Client app, complete the required fields.

  4. On the Tokens tab, select the following settings.



    Token Type


    Auth methods

    • Auth Code

    • Implicit

    • Client Creds

    The Access and ID token lifetime can be anything that aligns with your security policies. However, Azure does not refresh this token or warn when the token expires. To prevent provisioning from breaking due to an expired token, we recommend scheduling a reminder to replace the token before it expires.

  5. On the Scope tab, click Add and enter a name for the scope.

  6. Under Allowed Rest APIs, click Add and then enter scim* in the REST Regex table and save your changes.

  7. On the Permissions tab, add the role containing the service user with Run and Automatically Deploy permissions, then save the app.

Step 4: Create a bearer token

You will need the bearer token to configure AAD for automatic provisioning. AAD will include the bearer token in the authorization header of requests to CyberArk Identity SCIM APIs.

  1. In the OAuth2 Client app, select Actions > Create Bearer Token.

  2. Enter the service user's credentials, then click Get Token.



    Client ID

    The service user's login name (including the suffix)

    Client Secret

    The service user's password

  3. Copy the token and keep it available for configuring AAD provisioning.

Step 5: Add the user suffix(es) to CyberArk Identity

CyberArk Identity must have a matching suffix for every user that you want to provision from AAD. For example, if the AAD’s domain is, then add the suffix to CyberArk Identity.

See Create a login suffix for more information.

Configure Okta for SCIM provisioning

  1. In Okta, go to Applications, then open the SAML app you created.

  2. In the General tab, enable provisioning for the application by selecting the Enable SCIM provisioning checkbox in the App Settings section.

  3. Edit the settings in the SCIM Connection section as follows:



    SCIM connector base URL


    Unique identifier field for users


    Supported provisioning actions

    Select the required checkboxes

    Authentication Mode

    HTTP header


    Bearer <token>

  4. In the SCIM Connection Details page, select the Test Connector Configuration checkbox to verify the configuration, then click Save.

    The connector configuration test will only test the options selected.

  5. In the Provisioning tab, select Enable for the following:

    • Create Users

    • Update User Attributes

    • Deactivate Users

    • Sync Password (From the Password Type list, select Sync Okta Password)

    In Okta, provisioning automatically onboards users and groups when they are added to the application.