How to configure Okta SCIM in Lattice
Instead of spending hours copying and updating users manually, Lattice allows you to automatically configure Okta to send user profile updates to Lattice using SCIM. The supported features include:
- Create Users: When a user is created or activated in Okta, they will automatically be created or reactivated in Lattice.
- Update User Attributes: When a user attribute is changed in Okta, the corresponding user in Lattice will automatically be updated.
- Deactivated Users: When a user is deactivated or disabled in Okta, the corresponding Lattice user will be deactivated.
Configure SCIM in Lattice
Note: You must be both an admin in Lattice and Okta to configure SCIM. If an IT admin in Lattice is configuring the integration. They must have a Lattice admin provide them with an API key they created to ensure the integration works.
- Navigate to Admin > Settings > Platform > API keys.
- Click Generate API Key.
- Copy the API Key to your clipboard. Note: Ensure you copy the exact value of this key (including all of the dashes) and store it somewhere secure. You will need this key in the next step when configuring SCIM in Okta.
Configure SCIM in Okta
- If you have not done so already, add the Lattice app to your list of Okta apps by going to Applications > Applications > click Browse App Catalog.
- Search for Lattice > click Add Integration.
- Remember to type in your Lattice subdomain in the settings > click Done.
- In the Lattice App that you just added, go to the Provisioning tab.
- Under Settings on the left, click Integration > Enable API Integration.
- Enter the API Key you created above into the API Token input.
- Click Test API Credentials to ensure that everything is working correctly.
- Save.
Configure Base Attributes in Okta
You must verify that the attribute mapping between Okta and Lattice is correct. This will ensure Lattice can get the correct data from Okta.
- In Okta, select the Lattice app > Provisioning.
- Click into the To App tab on the left-hand side.
- Scroll down until you see a table towards the bottom under the Lattice Attribute Mappings section. On this page, you'll see the default attribute configurations.
- Click the pencil icon to the right to change the mapping for any of these attributes. A popup will appear with a dropdown giving options of Okta fields to map to this Lattice field.
- Choose the field from Okta you want to sync into Lattice and click Save.
Whenever a user is created or updated in Okta, this table tells Okta how to source the value for a particular attribute. If these mappings are not configured correctly, you may notice that some attributes aren't syncing properly.
Configure Lattice-specific attributes in Okta
Lattice supports other user fields such as an employee's start date, birth date, and gender. Since these are not included in the default mappings, you must manually link these fields. This can all be done through the profile editor.
Note: Okta allows you to add any custom attribute (although start date, birth date, and gender are common) to Lattice following the steps below. However, all default fields must be set up for the sync to work correctly.
- Within the Provisioning tab, scroll down and click on Go to Profile Editor.
- If you don't already have attributes for start date, birth date, and gender, you can add new attributes by clicking Add attribute.
- You will then see a form to enter your values.
- Save.
Once you add these attributes, you must populate those values for your users by editing their profiles. Note that none of these additional values are required, but if you define them, you must make sure they have the correct configuration:
Start Date
- Data type:
string
- Variable name:
startDate
- External name:
startDate
- External namespace:
urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
- Attribute required: Not required (do not select).
- Scope: User Personal should be selected.
Birth Date
- Variable name:
birthDate
- External name:
birthDate
- External namespace:
urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
- Attribute required: Not required (do not select).
- Scope: User Personal should be selected.
Gender
- Variable name:
gender
- External name:
gender
- External namespace:
urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
- Attribute required: Not required (do not select).
- Scope: User Personal should be selected.
For Gender, mark it as an Enum field with the following settings for Attribute members:
Display name | Value |
Male | male |
Female | female |
Non-Binary | non_binary |
Other Custom Attributes
Custom attributes created in Lattice can also be updated via Okta SCIM. The variable name and external name should match the name given to the attribute in Lattice, converted to camelCase. For example, a custom attribute called "Home Office" should have the following settings configured in Okta:
- Variable name:
homeOffice
- External name:
homeOffice
- External namespace:
urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
- Attribute required: Not required (do not select).
- Scope: User Personal should be selected.
You have successfully configured Okta to provision users into Lattice. You must assign your users to the Lattice SCIM app; otherwise, Okta won't know which users to provision into Lattice.
Note: If users are already assigned to the Lattice app before provisioning is enabled, users will need to be unassigned the Lattice app within Okta and then reassigned for it to automatically start syncing them to Lattice.
Important to Note
Emails
Lattice does not support case-sensitive emails. Ensure that your users' emails are case-insensitive. For example: "ALICE@yourcompany.com" is treated as being equal to "alice@yourcompany.com".
Profile URL
Lattice generates a profile URL based on the user's Lattice profile. Storing external profile URLs is not supported at this time.
Display Name
If the user is created from Okta, the display name will be pulled from the user's full name. If they have a nickname in Okta, the display name will be the nickname + last name. Subsequent Okta syncs will never update the display name anymore.
If the user is already created in Lattice before Okta sync, the display name will never be updated from Okta. Learn more about employees' Lattice Display Name.
Lattice Groups
You are not able to assign users to Lattice groups using SCIM.
Building your Org Chart
If you are looking to build out your org chart using Okta, be sure that the managerID value is the manager's email address.
Okta Profile Push
Okta does not support partial profile push. During a profile update, Okta pushes the app user's full profile, including attributes that are set to Apply mapping on user create only and Do Not map. For example, if you add the custom attributes above (Start Date, Birth Date, Gender), and you do not assign these values for your employees, they will be wiped in a subsequent Okta sync if this data appears for the user in Lattice.
For more information, please reference Okta's help center article.