Using Okta’s SCIM (System Cross Domain ID Management) integration allows you to automatically import users from Bob into Okta and update their details with any relevant changes. 

Note: You have two options when implementing your Okta provisioning: use either Okta API or Okta SCIM. See the Okta Provisioning Integration via API help center article for more details on API integration. Okta Provisioning integration – HiBob. We recommend consulting with your organization’s IT staff on what may best suit your organizational needs 

Features

The following provisioning features are supported:

  • Import New Users - When a new user is created in Bob their details will be imported to OKTA.
  • Import Profile Updates - When updates are made to any employee’s mapped fields they will be imported into the user’s OKTA profile.
  • Terminating users - When an employee is terminated, or on their last day at the company (whichever is earlier), the user will be deactivated in OKTA. 
  • Reactivate Users - When an employee is rehired rehire their account will be activated in OKTA.
  • Passing and updating groups to OKTA - build and sync groups, using SCIM Groups.

 

Default field mapping

Hibob

OKTA

Employee id

id

Email

userName

First Name

name.givenName

Last Name

name.familyName

Middle Name

name.middleName

Prefix

name.honorificPrefix

Display Name

displayName

Email

emails.[idx].value

Job Title

title

Address Line 1

addresses.[0].streetAddress

Address City

addresses.[0].locality

Address Postal Code

addresses.[0].postalCode

Address Country

addresses.[0].country

Full Address

addresses.[0].formatted

Work Phone

phoneNumbers.[idx].value

To create additional or custom fields, see the Okta SCIM Custom Field Mapping guide.

Configuration in Bob

The first part of the integration includes three to five steps (steps 3 and 4 are optional), all to be completed within Bob.

Step 1: Create a service user

  1. From the left menu, select Settings > Integrations.
  2. Select Provisioning.
  3. In the Okta tile, click Connect.
  4. In the Okta screen, under Let’s integrate, click Connect,
  5. Select Using SCIM.

mceclip0.png

The Connect with Okta SCIM popup opens.

  1. Enter the desired Service User name and Display name - this will appear in the Okta connection settings.
  2. Click Next.
  3. An ID and Token will appear - copy them and save them somewhere.
  4. Click Next

The integration will be marked as configured and appear as Connected.

Step 2: Set service user permissions

  1. From the left menu, select Settings > Roles & Permissions.
  2. Select an existing group and click Manage group or click + Add another group.
  3. Under Manage Permissions, select the Other Employees tab.
  4. From the left column, click People.
  5. In the right column, click Lifecycle.
  6. Select View selected employees' lifecycle sections if it is not already marked with a ✓.

The user will appear in the Service users configuration table, with OKTA in the Used in column.

To view the Service users, from the left menu select Settings > Integrations and in the Service Users tile click Manage

Note: This service user cannot be deleted unless Okta is disconnected.

Step 3: Provisioning settings (optional)

This is used to control when Okta can pull new user data from Bob.

By default the data is pulled on the employee’s official start date, but you can change this to X days before the start date. 

  1. From the left menu, select Settings > Integrations.
  2. Select Provisioning.
  3. In the Okta tile, click Manage.
  4. In the Settings section, under User creation timing, select a number of days before the start date.

Note: For this to work properly, you need to make a dedicated permission group for the audience which includes the condition Lifecycle status equals Hired.

mceclip0.png

Step 4: Employee groups (optional)

If necessary, you can create Okta groups directly from Bob. For full details, see Manage OKTA Scim groups

Step 5: Data mapping:

Data mapping is not configured on the Bob side as Okta pulls info from Bob.

For full details see Okta SCIM custom field mapping.

Configuration in Okta

Step 1: Enable the API in Okta

  1. Log into Okta as an Administrator.
  2. Search for and add the Bob application. mceclip1.pngFor more information about how to add an application in Okta see Access and customize app integrations in the Okta help center.
  3. Navigate to Provisioning > Integration > Configure API integration.
  4. Select Enable API Integration.
  5. In Username, enter the Bob service user ID.
  6. In Password, enter the Bob service user token.
  7. Click Save. mceclip1.png
  8. Navigate to the Settings area.
  9. Click To Okta.
  10. In the General section, from the Okta username format dropdown select Email address. mceclip2.png
  11. Click Save.

Step 2: Profile Mastering

Note: This may incur an additional cost from OKTA.

  1. Navigate to Provisioning > To Okta.
  2. Under the Profile & Lifecycle Mastering section click Edit.
  3. Check the box next to Allow bob to master Okta users.
  4. If you would like to allow for automatic sync of reactivated users from Bob to Okta check the boxes next to Reactivate suspended Okta users and Reactivate deactivated Okta users.
  5. Press Save.

Tip: If OKTA is unable retrieve the users from Bob during the import process, there is a possibility that all the employees in OKTA will be unassigned from the Bob app in Okta.

To prevent such a scenario you can use the Import safeguards feature in Okta that will stop the import if needed. For full details see Import Safeguards in the Okta help center.

FAQs

How do i remove the integration?

You can remove the integration at any time. In the Okta tile, click Manage and then Remove integration. In Remove Okta Integration popup type Remove and click Remove.

Is it possible to add mapping for Okta Provisioning for the address of the site or only when it is a part of the employee page?  

Yes, Bob does support passing the site address.

Can specific employees be excluded from the Okta SCIM provisioning? 

Yes, as SCIM provisioning is build on service user permissions employees can be excluded using the Applies to section of the permissions group. From the left menu, select Settings > Roles & Permissions. Click Manage on the relevant permissions group and in the Applies to section select either Select by condition or Select by name.