SCIM provisioning automates user account management by enabling the creation, updating, maintenance, and removal of accounts. It ensures users have the correct permissions to access their organization's cloud-based applications securely.
Getting Started
-
Ask your CSM to enable API access for your account.
-
Assign the "API Manager" role to the responsible for configuring user provisioning.
Once assigned, the API Manager should create a new API credential. Ensure to name it appropriately (f.e.: ‘Okta SCIM’).
The scope will be set on the next step.Important: Ensure the secret is stored securely, as it will only be displayed once and cannot be retrieved later.
-
Create an application for Rydoo in your Okta admin console.
-
Configure SSO for the new Okta application.
-
Request your CSM to configure the API credential for use as authentication for Okta SCIM.
What you should provide in the request:
- Name of the API credential you just created
- The name of the Rydoo application in your Okta account.
- How to gather your unique application name here.
Technical background on what we’ll do for you:
- Allow the use of OAuth2 Authorization Code Grant Flow
- Set the necessary scopes
- Safelist callbacks to your Okta application only using the unique Okta application name
Enabling
- Enable SCIM provisioning for the application.
- Configure Rydoo SCIM endpoint access.
Production Sandbox SCIM connector base URL https://scim.rydoo.com/v2 https://sandbox-scim.rydoo.com/v2 Unique identifier field for users userName userName Supported provisioning actions ☑️ Push New Users
☑️ Push Profile Updates☑️ Push New Users
☑️ Push Profile UpdatesAuthentication Mode OAuth 2 OAuth 2 Access token endpoint URI https://accounts.rydoo.com/connect/token https://sandbox-accounts.rydoo.com/connect/token Authorization endpoint URI https://accounts.rydoo.com/connect/authorize?scope=company+users%3Aread+users%3Awrite+offline_access https://sandbox-accounts.rydoo.com/connect/authorize?scope=company+users%3Aread+users%3Awrite+offline_access Client ID Rydoo API credential - Client ID Rydoo API credential - Client ID Client Secret Rydoo API credential - Client Secret Rydoo API credential - Client Secret
- Press ‘Authenticate with Rydoo’ to authorize Okta to access and manipulate your Rydoo data with a consent screen. Verify the ClientId requesting the permissions, leave all permissions checked and press ‘Yes, Allow’.
Example of a scope consent screen
-
Verify that you received a “Rydoo's API is authenticated” message.
-
Enable user provisioning functionalities in the ‘To App’ tab. We support the functionalities listed below, but not all have to be enabled.
☑️ Create Users
☑️ Update User Attributes
☑️ Deactivate Users
-
Configure the Rydoo user profile mapping. Do refer to our SCIM user resource schema to know what user attributes we support.
User Resource Schema
{
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"name": "User",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "name",
"type": "complex",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"subAttributes": [
{
"name": "familyName",
"type": "string",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "givenName",
"type": "string",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
]
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "active",
"type": "boolean",
"multiValued": false,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"multiValued": true,
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
}
]
}
]
} - To start syncing your Okta users with Rydoo users, assign specific users or groups of user in the ‘Assignments’ tab in your Okta application.
-
SCIM Most Common Questions
Below you can find answers to questions that usually come up while using SCIM Provisioning.
If you can't find your query on the list, feel free to reach out via the chat bubble or contact us at support@rydoo.com.
Can SCIM be limited to certain branches in a Rydoo account?
There's no branch limitation enforced, we will sync every user that gets pushed by SCIM.
The branch is not created in Rydoo
If a branch isn't created in Rydoo but users are synced via Okta, does this mean the entire Okta population will always be synced to Rydoo?
Only the users assigned to the Rydoo app in Okta are synced, giving full control over which users are included.
Manual user creation vs SCIM creation
What happens if a user is created manually in Rydoo first, and later the same user is created in Okta and sent via SCIM? Will the user be updated automatically, or is manual intervention required?
When a user is synced via SCIM, initial matching is done based on the email address. If the email matches the manually created account, the UserGuid becomes the primary matching field, ensuring the user is updated correctly in the future. If the email doesn't match initially, manual intervention may be required to resolve the issue.
Group synchronization
Group synchronization is not currently included in the SCIM sync. At this time, we have no plans to implement this feature. After assessing its feasibility, we found that Okta's SCIM support for groups lacks the functionality needed to align with our specific use case