Provision Users with Okta (SCIM)

Updated 1 month ago by Rashmi Nanda Sahoo

System for Cross-Domain Identity Management (SCIM) is an open standard protocol for the automation of user provisioning.

Automatic provisioning refers to creating users and user groups in Harness. In addition to creating these, automatic provisioning includes the maintenance and removal of users and user groups as and when required.

This topic describes how to build a SCIM endpoint using OKTA and integrate it with Harness.

In this topic:

Before You Begin

Review: Harness Okta SCIM Integration

By using Okta as your identity provider, you can efficiently provision and manage users in your Harness Account, Org and Project. Harness' SCIM integration enables Okta to serve as a single identity manager, for adding and removing users, and for provisioning User Groups. This is especially efficient for managing many users.

In exchange for the convenience of Okta-provisioned users and groups, you must configure several aspects of Okta, as described in the following sections. You will also have restrictions on modifying Okta-provisioned users and groups natively within Harness, as described in Limitations.

Features Supported

Once you have set up the SCIM integration between Okta and Harness (as described below), Administrators will be able to perform the following Harness actions within Okta:

Limitations

This integration does not support updating a configured user's Primary email or Username in Okta. (However, you can freely update the Display name field.)

When you provision Harness User Groups and users from Okta, you will not be able to modify some of their attributes in Harness Manager. You must do so in Okta.

Operations that you cannot perform on Okta-provisioned User Groups within Harness Manager are:

  • Managing users within the User Group.
  • Adding users to the User Group.
  • Removing users from the User Group.
  • Renaming the User Group.
  • Deleting the User Group.

If a User Group provisioned from Okta duplicates the name of an existing Harness User Group, Harness will maintain both groups. To prevent confusion, you are free to rename the native User Group (but not the Okta-provisioned group).

Where a User Group has been provisioned from Okta, you cannot use Harness Manager to edit the member users' details (Email AddressFull Name, or User Groups assignments).

You must use Okta to assign these users to other User Groups (to grant corresponding permissions). You must also use Okta to delete these users from Harness, by removing them from the corresponding Okta app.

When you use Okta to directly assign users to Harness, those users initially have no User Group assignments in Harness. With this method, you are free to use Harness Manager to add and modify User Group assignments.

Step 1: Create App Integration in Okta

To automate the provisioning of users and groups, you must add a Harness app to your Okta administrator account. To do that perform the following steps

Log in to your Okta administrator account and click Applications.

Click Create App Integration.

The Create a new app integration dialogue appears. Select SAML 2.0 and click Next.

In General Settings, enter a name in the Application label field, and click Next.

The SAML settings appear.

Enter your Single sign on URL. To get the Single sign on URL, add your account ID to the end of the following

URL: https://app.harness.io/gateway/api/users/saml-login?accountId=

In Audience URI (SP Entity ID), enter app.harness.io.

In Attribute Statements (optional), enter name in the Name field, select Name Format as Basic, and select the Value as user.email.

In Group Attribute Statements (optional), enter a name in the Name field, select Name format (optional) as Basic, select an appropriate Filter, and enter its value.

Click Next.

The Feedback options appear. Select option and click Finish.

Click General and then click Edit in App Settings.

Select Enable SCIM provisioning in Provisioning. Click Save.

Step 2: Authorize Okta Integration

In your Okta administrator account and click Applications > Applications.

Search your Application.

Click Provisioning and then click Integration.

Click Edit.

In SCIM connector base URL enter the Base URL for your API endpoint.

To get the SCIM connector base URL, add your account ID to the end of the following

URL: https://app.harness.io/gateway/ng/api/scim/account/

Enter userName in Unique identifier field for users and select Supported provisioning actions.

Select Authentication Mode as HTTP Header and enter your API Token in Bearer.

For information on how to create an API Token in Harness, see Add and Manage API Keys.

Click Test Connection and then Save after the test is successful.

Your Okta app is now authorized with Harness.

Next, click To App settings in Provisioning and enable Create Users, Update User Attributes and Deactivate Users.

Click Save.

Option: Create Users

To directly assign your Harness app to individual (existing) Okta users, thereby provisioning the users in your Harness Account perform the following steps:

In your Okta application, click Assignments.

Click People.

Click Assign > Assign to People. The Assignments settings appear.

Select users and click Assign.

Click Save and Go Back.

Click Done after you have assigned all the intended users.

Users with the Harness app assignment now appear in People.

You can edit or delete users from here.

The user is now listed in your Harness account.

Option: Assign Groups

To assign the Harness app to Okta-defined groups of users, perform the following steps:

In your Okta application, click Assignments.

Click Groups.

Click Assign > Assign to Groups. The Assignments settings appear.

Select groups and click Assign.

Click Save and Go Back.

Click Done after you have assigned all the intended groups.

Groups with the Harness app assignment now appear in Groups.

You can edit or delete users from here.

Group Push to Harness

To provision your application's assigned groups in Harness:

Click Push Groups in your application, then select Push Groups > Find Groups by Name.

Search for the group(s) you want to provision.

Click Save. You can see the status of this Push Group in your application.

This group is now listed in your Harness account.

Option: Update User Attributes

You can edit a user's profile in Okta to update the following attribute values for the corresponding user in Harness:

  • Given name
  • Family name
  • Primary email
  • Primary email type
  • Display name

To update user attributes:

  1. From your Okta administrator account, select Directory > People.
  2. Locate the user you want to edit, and click their name to display their profile.
  3. Click the Profile tab, then click the Edit button.
  4. Update the desired attributes, then click Save.
Only the five fields listed at the top of this section will be synced to Harness users. You can update values in other fields, but those values will be saved for this user only in Okta. They won't be reflected in Harness.

Deactivate Users

You can deactivate users in Okta to delete their Harness accounts, as follows:

  1. From Okta's top menu, select Directory > People, then navigate to the user you want to deactivate.
  2. From that user's profile, select More Actions > Deactivate.
  3. Click Deactivate in the resulting confirmation dialog.
Deactivating a user removes them from all their provisioned apps, including Harness. While a user account is deactivated, you cannot make changes to it. However, as shown below, you can reactivate users by clicking Activate on their profile page.

Copy Groups

When you provision groups using Okta, they get added to your Account scope. To add them to your Org or Project scope, use the Copy option. This copies the specified group to the desired scope.

Any modifications you make to this User Group through SCIM are reflected in the User Groups in the Account scope as well as all other scopes where it has been copied.

Here is an example to copy a group from the Account scope to Organization scope:

In Harness, go to Account Settings->Access Control. Click User Groups.

Click more options () next to the User Group you want to copy.

Click Copy. The Copy group settings appear.

Select the Organization where you want this User Group to be copied.

To copy User Group to Projects within the scope of this Organization, click Copy to project(s) and then select Projects.

At any one moment, you can copy a User Group to a single Organization and numerous Projects.

Click Save.

The User Group and its members are copied to the selected Organization.

If you click Copy to project(s), the User Group is copied only to the selected projects and not the Organization.

Assigning Permissions Post-Provisioning

Permissions can be assigned manually or via the Harness API:


Please Provide Feedback