What Is SCIM?
SCIM, or System for Cross-domain Identity Management, is an open standard allowing for the automation of real-time user provisioning. Enabling SCIM provides real-time user management from Okta to Learning. This is a one-way relationship: data flows from Okta to Learning, not the other way around.
This guide provides the steps to configure user provisioning for Learning. It includes the following sections:
User Provisioning Updates
Create New Users: new users created in Okta are then created in Learning.
User Updates: updates made to a user's profile in Okta are updated in Learning
User Deactivation: deactivating a user or disabling the user's access to the Learning in Okta archives the user in Learning.
💡 Important Note: When deactivating a user this in turn archives the user in Learning, and removes the user's data from all reporting.
Reactivate Users: user accounts are reactivated in Learning when they are reactivated in Okta or added back to the group being synced.
Okta SCIM works by silently provisioning users. This feature automatically creates new users in Learning, but prevents Learning from sending a welcome email. When content is first assigned to users created via Okta, it will arrive as an email notification.
Please reach out to Learning Support for the proper credentials to begin setting up Okta SCIM. The Learning Support team will provide:
SCIM API Key
Configuration in Okta
Check Enable Provisioning.
Configure the attribute mappings following the table below. Required attributes include userName, givenName, familyName, and email.
Check Enable API Integration.
Enter the username and password provided by Learning Support.
Begin assigning users to the app (if necessary) and finish the application setup.
💡 Important Note: Because SCIM was built with Okta in mind, you must use its attributes. For Location, use the attribute costCenter, not the tag method. For Business Unit, use the attribute division.
Frequently Asked Questions
Q. Does SCIM support Learning's hire data attribute or custom fields?
A. No, but such information can be synced via standard Okta integration. Check out this article to learn more. Unlike SCIM, standard Okta doesn't sync in real time; it runs twice daily at 6:00 AM UTC and 3:00 PM UTC.
Q. Can I use SCIM to add Learning users to Okta?
A. Users can only be imported from Okta to Learning, not vice versa.
Q. Can I use Okta SCIM to define user roles in Learning?
A. Okta SCIM does not support the ability to define user roles. All users are imported as learners; their roles must be manually updated in Learning.
Q. I'm trying to bulk deactivate users in Okta, but de-provisioning isn't working correctly. I'm still seeing active accounts in Learning.
A. It's likely the case that these remaining accounts existed in Okta before the provisioning integration was created. That is, their data was not sent to Learning in such a way that Learning was able to assign them an external ID (as is does when the integration is in place). Okta accounts without a Learning external ID will fail to de-provision when the associated Okta account is deactivated.
Questions? Contact the Support team at firstname.lastname@example.org