SCIM provisioning for Okta

Overview

SCIM provisioning automates user and group management between Okta and ThingLink.

With SCIM provisioning, Okta can create users, update user details, deactivate users, create groups, and keep group memberships in sync in ThingLink.

SCIM provisioning does not manage how users sign in. User authentication is handled separately through Okta single sign-on, which should be configured before you set up SCIM. See Enabling Okta single sign-on for setup instructions.

Why use SCIM provisioning?

With SCIM provisioning, user access is managed from Okta instead of manually in ThingLink. This reduces manual account administration and helps keep user access and group membership in sync.

If you use Okta groups to manage access, you can also push these groups to ThingLink. This allows you to use ThingLink groups for sharing content with the right users automatically. See this article for more details.

How to set up SCIM provisioning

Prerequisites

Make sure that:

• You have already configured Okta single sign-on for your ThingLink organization.
• You have an administrator account in ThingLink.
• You have an Okta administrator account with permission to add applications and configure provisioning.

Step 1: Enable SCIM in ThingLink

1. In ThingLink, go to Organization > Integrations > SCIM provisioning.

2. Click Enable and configure.

3. Copy the Endpoint URL and the Secret token. You will need them later.
   

Step 2: Configure provisioning in  in Okta

Add the SCIM application in Okta

1. In the Okta Admin Console, go to Applications > Applications.
2. Click Browse App Catalog.
3. Search for SCIM 2.0 Test App (OAuth Bearer Token):
   
4. Select the application and click Add Integration.

Configure the general settings

Configure the general settings:

1. Application label: Enter a descriptive name, such as ThingLink SCIM.
2. Application visibility: Check the box to hide the application from users. This application is used for provisioning only. Users should access ThingLink through the Okta SSO application instead.
3. Browser plugin auto-submit: Leave disabled.
   
4. Click Next.

Configure sign-on options

This app will not be used for sign in, so the settings here should not affect how your users access ThingLink.

1. Under Sign-On Options, select Secure Web Authentication.
2. Select User sets username and password.
3. The sign-on settings are not used for ThingLink SCIM provisioning. If Okta requires a Login URL, enter https://www.thinglink.com/login. Do not use the OIDC callback URL here.
4. Leave the remaining sign-on settings (Credential Details) at their default values and finish creating the application.

Click Done to finalize the initial setup.

Configure API integration

1. Open the ThingLink SCIM application in Okta.
2. Go to Provisioning > Configure API Integration.
3. Select Enable API Integration.
4. Enter the following values:
   • SCIM 2.0 Base URL: Paste the Endpoint URL copied from ThingLink.
   • OAuth Bearer Token: Paste the Secret token copied from ThingLink.
   • Leave Import Groups enabled.
     
5. Click Test API Credentials. If the test succeeds, click Save.

Configure provisioning settings

1. Go to Provisioning > To App and click Edit.
2. Enable the following options:
   1. Create Users
   2. Update User Attributes
   3. Deactivate Users
   4. Leave Sync Password disabled.
      
3. Save the changes.

Review attribute mappings

1. Under the same Provisioning tab > To App section, scroll down to the SCIM attribute mappings.
2. ThingLink requires only the basic user attributes needed to identify and display users. Keep the following mappings enabled:
   1. userName
   2. displayName
   3. Given Name
   4. Family Name
3. Remove any additional mappings unless your ThingLink contact has instructed otherwise.

Step 3: Assign users and groups

Assign users and groups

Go to the Assignments tab in the ThingLink SCIM application. Assign the users and groups that should be provisioned to ThingLink.

Assignments for the SCIM application are separate from assignments for the Okta SSO application. Assigning a user to the Okta SSO application allows them to sign in, but it does not automatically assign them to the SCIM application.

When a user is assigned to the SCIM application, Okta provisions the user to ThingLink. If a user is unassigned from the SCIM application, their ThingLink account is deactivated unless they are still assigned through another group or assignment.

Optional: Set up Push Groups

To create ThingLink groups and keep group memberships in sync, configure Push Groups in Okta:

1. In the ThingLink SCIM application, go to Push Groups.
2. Click Push Groups.
3. Select the Okta group you want to push to ThingLink.
4. Confirm the group name and save the push group configuration.
5. Repeat this for each group that should be created and managed in ThingLink.

Assigning a group to the SCIM application provisions the users in that group. Push Groups are needed when you also want Okta to create the corresponding group in ThingLink and keep its membership in sync.

Push groups must be separate from assignment groups. Please see the pages below for more guidance from Okta:

• Okta Identity Engine: https://help.okta.com/oie/en-us/content/topics/users-groups-profiles/app-assignments-group-push.htm
• Okta Classic Engine: https://help.okta.com/en-us/content/topics/users-groups-profiles/app-assignments-group-push.htm 

How provisioning works

Users

When a user is assigned to the ThingLink SCIM application in Okta, ThingLink creates a user account for them.

Provisioned accounts are created with the lowest access level available in your organization: Learner or Student, depending on your organization type and subscription. Provisioning different ThingLink roles through SCIM is not currently supported.

If a user is unassigned from the SCIM application, their ThingLink account is deactivated. Accounts are not fully deleted to help prevent content or data loss.

Groups

You can use Okta groups to manage assignment in bulk. In addition, Okta can push groups to ThingLink and keep their membership in sync.

Use Push Groups when you want ThingLink groups to be created and managed automatically based on Okta groups.

Troubleshooting

If provisioning does not work as expected:

• Check that the Endpoint URL and Secret token were copied correctly from ThingLink.

• Click Test API Credentials in Okta to confirm that Okta can connect to ThingLink.

• Check the provisioning settings under Provisioning > To App and confirm that Create Users, Update User Attributes, and Deactivate Users are enabled.

• Check the Okta provisioning logs for errors.

• Make sure the relevant users and groups are assigned to the SCIM application, not only to the Okta SSO application.

• Make sure Push Groups are configured if you expect groups and group memberships to appear in ThingLink.

If the issue continues, contact ThingLink support.

Limitations and notes

• SCIM provisioning and Okta single sign-on are configured separately.
• Role mapping is not currently supported. New users are provisioned with the lowest access level available in your organization.
• Make sure your ThingLink license has enough user capacity for the users you plan to provision.
• If a user already has an independent ThingLink account that is not connected to your license, SCIM provisioning may not move that account into your organization automatically. The user may need to be added or invited to your license first.