The System for Cross-domain Identity Management (SCIM) standard enables administrators to manage user and group information across Okta and external applications.
SCIM updates from the IDP are instantly propagated. Instead of Avigilon Alta pulling updates every 15 minutes, SCIM immediately pushes new or updated information to the Alta platform.
When an Identity Provider (IDP) creates unique IDs for users, deleting and recreating a user in the IDP results in a new unique ID for that user. If you add the recreated user back into Avigilon Alta, the system will recognize them as a new user due to the new ID, even though the email address is the same. This can cause confusion, as it becomes unclear which version of the user is correct.
Note: SCIM 2.0 is supported and currently only works with the Okta Advanced app from Avigilon Alta Market Place.
Note:
If a user is manually inactivated in the Alta Access system, they will no longer sync through Okta.
The push now feature in Okta is not currently supported.
Okta Advanced app set up and configure
Go to http://control.openpath.com/login and sign in. To access the European Alta Access, go to
http://control.eu.openpath.com/login .Go to App marketplace > Get apps.
Click the Okta Advanced tile.
Click the + Get app Organization button.
Go to App marketplace > My apps.
Click the pencil icon to edit Okta Advanced
In Sync type, select SCIM.
Click the Generate auth token button and copy the token. Click Done.
You will need this token for the setup of SCIM in Okta in step 6.
After setting up SCIM in Okta, manually trigger the first sync in the Okta portal and then refresh the Access Groups or Roles page in Alta Access.
Enable the following settings, as needed:
Auto-create mobile credential - Creates a mobile credential for every user.
Auto-create cloud key credential - Creates a cloud key credential for every user.
Sync mobile phone numbers - Syncs the mobile phone number for every user. Phone numbers must
use E.164 format with a maximum of 15 digits: +[country code][subscriber number
including area code]Enable single sign-on (SSO) for users with portal access - Allows Okta super admin users to log in to the Avigilon Alta Access with their Okta credentials.
Enable single sign-on (SSO) for mobile app - Allows users to log in to the Openpath app using Okta
credentials.
If you have not created any Avigilon Alta access groups yet, please first create them in Users > Access groups
Use the Create access group mapping button to map your Okta groups to your Avigilon Access groups.
SCIM advanced mapping (optional)
Tip: Consider using the http://control.openpath.com/loginSSO or http://control.eu.openpath.com/loginSSO setup page to prevent users from trying a standard login.
Okta portal SCIM configuration
Follow these steps to set up the SCIM integration
In the left-hand menu, select Applications and then click Applications item.
Click Create App Integration, choose SAML 2.0, then click Next to complete the SAML setup workflow.
Go to the General tab, then select SCIM under Provisioning.
Switch to the Provisioning tab and click on Integration.
Enter the following SCIM Connection settings:
SCIM connector base URL: Enter the base URL for your organization (e.g.,
https://yourcompanyname/scim/v2/okta/).Configure the fields for the Unique identifier for users, Import New Users and Profile Updates, Push New Users and Profile Updates, and HTTP Header for Authentication Mode.
In the Authorization section, paste the token from Alta Access.
Test the connection configuration and click Save.
Switch back to your Okta Advanced app, continuing at #7 above.
SCIM advanced mapping
(Optional) Enable the Show advanced mapping toggle.
Use the JSON editor to create rules for HTTPS requests that map users from the identity provider to a specific group or all groups in Alta Access.
Examples:
Imagine you have created the following Access groups: "Engineering Group" (id 1) and "Engineering Manager Group" (id 2). Additionally, you have made the roles "Engineering Role" (id 3) and "Engineering Manager Role" (id 4).
Now, consider the following template rule you have set up.
{
type: "template",
"mappings": [
{
accessGroupTemplates: ["{{ department }} Group", "{{ department }} {{ role }} Group"],
roleTemplates: ["{{ department }} Role", "{{ department }} {{ role }} Role"]
}
]
}
The items within {{}} represent the keys from the incoming data source. These keys will be used to parse the data and attempt to match it with the Access group and role names you have already created.
For instance, consider the following SCIM data as it arrives.
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "example-user",
"externalId": "example-user",
"userName": "exampleUserName",
"name": {
"formatted": "Example User",
"familyName": "User",
"givenName": "Example"
},
"emails": [
{
"value": "example.user@example.com",
"type": "work",
"primary": true
}
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"department": "Engineering",
"role": "Manager"
},
"meta": {
"resourceType": "User",
"created": "2024-06-10T08:24:12Z",
"lastModified": "2024-06-10T08:24:12Z",
"version": "W/\"3694e05e9dff591\""
}
}
This data includes a department key with the value Engineering. Behind the scenes, we would convert {{ department }} Group to Engineering Group and {{ department }} Role to Engineering Role. The user would be added to both since these group and role names already exist in your organization (as shown in the previous example).
Additionally, the user has the role of "Manager". Given that we have defined templates for "{{ department }} {{ role }} Group" and "{{ department }} {{ role }} Role", we would also generate Engineering Manager Group and Engineering Manager Role, which would map to the existing access groups and roles.
However, if the user's role were "Junior," they would not be added to the Engineering Manager Role/Group.
Here is an equivalent example but using a specific rule.
{
type: "specific",
"mappings": [
{
"conditions": [
{
"key": "department",
"value": "Engineering"
},
{
"key": "role",
"value": "Manager"
}
],
"destinations": [
{
"roleIds": [4] // Engineering Manager Role
"accessGroupIds": [3] // Engineering Manager Group
}
]
},
{
"conditions": [
{
"key": "department",
"value": "Engineering"
},
],
"destinations": [
{
"roleIds": [3] // Engineering Role
"accessGroupIds": [1] // Engineering Group
}
]
}
]
}
In the example above, we have two mappings, each with its own set of "conditions." The user data must match these conditions, and if it does, the user will be added to all roles and access groups specified in the roleIds and accessGroupIds arrays. It's crucial to emphasize that the user data must include all the key/value pairs defined in the conditions for this to happen.
For example, in our first mapping, the conditions are:
{
"key": "department",
"value": "Engineering"
},
{
"key": "role",
"value": "Manager"
}
This means that the incoming user data must include both "department": "Engineering" and "role": "Manager" for the user to be added to role ID 4 (Engineering Manager Role) and access group ID 3 (Engineering Manager Group). Additionally, in the second mapping, the user data only needs to include "department": "Engineering" for the user to be added to role ID 3 (Engineering Role) and access group ID 1 (Engineering Group).
Field | Format | Definition |
|---|---|---|
type | String | specific or template |
key | String | The user group in the identity provider system. |
value | String | The name of a user group in the identity provider system. |
mappings | String | destinations. |
destinations | String | roleIds, accessGroupIds, roleTemplates, or accessGroupTemplates predefined for an organization. |
roleIDs | String | The ID number of a role. |
accessGroupIds | String | The ID number of an access group. |
roleTemplates | String | The name of a role and the specified user group (key). |
accessGroupTemplates | String | The name of an access group and the specified user group (key). |
Note: To obtain ID numbers click the filter on the Users > Access groups and Roles pages to
show the hidden ID columns.
Add Comment