Instead of spending hours copying and updating users manually, Lattice allows you to automatically configure Okta to send user profile updates to Lattice using SCIM. The supported features include:

  1. Create Users: When a user is created or activated in Okta, they will automatically be created or reactivated in Lattice.
  2. Update User Attributes: When a user attribute is changed in Okta, the corresponding user in Lattice will automatically be updated.
  3. Deactivated Users: When a user is deactivated or disabled in Okta, the corresponding user in Lattice will automatically be deactivated.

Note that group provisioning and bulk User and Group imports are not supported at this time.

Configuring SCIM in Lattice

To enable SCIM for your company, you will first need to reach out to our Customer Care Team to turn this on. This process is typically completed within a few days.

Note that you will need to be both an Admin in Lattice and in Okta to configure SCIM

Once SCIM is enabled you will then want to create your API key.

Step 1: log in to Lattice and navigate to the "Admin" tab:

Step 2: using the sidebar on the left, navigate to the "API Keys" section under "Platform" → "Settings":

Here we'll create a key that gives Okta access to Lattice's SCIM service.

Step 3: Click the "Create new key" button:

You should then see your key appear below (redacted):

Step 4: Copy the API Key to your clipboard

Make sure you copy the exact value of this key (including all of the dashes) and store it somewhere secure. You will need this key in the next step when configuring SCIM in Okta.

Configure SCIM in Okta

Step 1: If you have not done so already, add the Lattice app to your list of Okta apps by clicking on "Add Apps" in the top right corner. From there, search for "Lattice".

Step 2: Configure the application in Okta. Remember to type in your Lattice subdomain in the settings

Step 3: Once the Lattice App is selected, click on the "Provisioning" tab

Step 4: Under "Settings" on the lefthand side, click into "Integration"

Step 5: Click "Enable API Integration"

Step 6: Enter the API Key you created above into the "API Token" input.

Step 7: Click "Test API Credentials" to ensure that everything is working properly

Step 8: Save your settings

After your settings are saved, you're almost done! You will then want to configure which attributes Okta sends to Lattice.

Configure Base Attributes in Okta

You will now need to verify that the attribute mapping between Okta and Lattice is correct. This will ensure Lattice can get the correct data from Okta.

Step 1: In Okta, select the "Lattice" app

Step 2: Toggle over to the "Provisioning" tab

Step 3: Click into the "To App" tab on the left-hand side

Step 4: Scroll down until you see a table towards the bottom under the "Lattice Attribute Mappings" section

From here, make sure the following attributes are configured:

Note that whenever a user is created or updated in Okta, this table tells Okta how to source the value for a particular attribute. If these mappings are not configured correctly, you may notice that some attributes aren't syncing properly.

Configure Lattice-specific attributes in Okta

Lattice supports other user fields such as the start date for an employee, their birth date, and their gender. Since these are not included in the default mappings, you will have to link these fields manually. This can all be done through the profile editor.

Step 1: Within the "Provisioning" tab, scroll down and click on "Go to Profile Editor"

Step 2: If you don't already have attributes for start date, birth date, and gender, you can add new attributes by clicking "Add attribute"

Step 3: You will then see a form like this to enter your values (some example values have already been filled out). Don't forget to save your settings!

Once you add these attributes, you will then want to populate those values for your users by editing their profiles. Note that none of these additional values are required, but if you define them you must make sure they have the correct configuration:

Start Date

  1. Data type: string
  2. Variable name: startDate
  3. External name: startDate
  4. External namespace: urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
  5. Attribute required: Not required (do not select).
  6. Scope: User Personal should be selected.

Birth Date

  1. Variable name: birthDate
  2. External name: birthDate
  3. External namespace: urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
  4. Attribute required: Not required (do not select).
  5. Scope: User Personal should be selected.

Gender

  1. Variable name: gender
  2. External name: gender
  3. External namespace: urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
  4. Attribute required: Not required (do not select).
  5. Scope: User Personal should be selected.

Additionally, for Gender, mark it as an "Enum" field with the following settings:

Well done! You have successfully configured Okta to provision users into Lattice. Note that in order for provisioning to apply to your users, you must assign your users to the Lattice SCIM app, otherwise Okta won't know which users it should provision into Lattice.

Note: if users are already assigned to the app before provisioning is enabled, users will need to be re-added to Okta in order for it to automatically start syncing them to Lattice.

Important Things to Note

Emails

At this time, Lattice does not support case-sensitive emails. Please ensure that your users' emails are case-insensitive.

Profile URL

Lattice generates a profile URL based on the user's Lattice profile. Storing external profile URLs is not supported at this time.

Display Name

In Lattice, a user's display name is derived from their customized preferred name in Lattice, meaning that this field is not pulled in from Okta.

What's Next?

Did this answer your question?