Skip to main content

Set Up SCIM With Okta

Jesse
  • Updated

How to configure Okta SCIM in Lattice

Instead of spending hours copying and updating users manually, Lattice allows you to automatically configure Okta to send user profile updates to Lattice using SCIM. The supported features include:

  1. Create Users: When a user is created or activated in Okta, they will automatically be created or reactivated in Lattice.
  2. Update User Attributes: When a user attribute is changed in Okta, the corresponding user in Lattice will automatically be updated.
  3. Deactivated Users: When a user is deactivated or disabled in Okta, the corresponding Lattice user will be deactivated.

Configure SCIM in Lattice

Note: You must be both an admin in Lattice and Okta to configure SCIM. If an IT admin in Lattice is configuring the integration. They must have a Lattice admin provide them with an API key they created to ensure the integration works.

  1. Navigate to Admin > Settings > Platform > API keys.
  2. Click Generate API Key.
  3. Copy the API Key to your clipboard. Note: Ensure you copy the exact value of this key (including all of the dashes) and store it somewhere secure. You will need this key in the next step when configuring SCIM in Okta.

Configure SCIM in Okta

  1. If you have not done so already, add the Lattice app to your list of Okta apps by going to Applications > Applications > click Browse App Catalog.
  2. Search for Lattice > click Add Integration.
  3. Remember to type in your Lattice subdomain in the settings > click Done.
  4. In the Lattice App that you just added, go to the Provisioning tab.
  5. Under Settings on the left, click Integration > Enable API Integration.
  6. Enter the API Key you created above into the API Token input.
  7. Click Test API Credentials to ensure that everything is working correctly.
  8. Save.

Configure Base Attributes in Okta

You must verify that the attribute mapping between Okta and Lattice is correct. This will ensure Lattice can get the correct data from Okta.

  1. In Okta, select the Lattice app > Provisioning.
  2. Click into the To App tab on the left-hand side.
  3. Scroll down until you see a table towards the bottom under the Lattice Attribute Mappings section. On this page, you'll see the default attribute configurations.
  4. Click the pencil icon to the right to change the mapping for any of these attributes. A popup will appear with a dropdown giving options of Okta fields to map to this Lattice field.
  5. Click View unmapped fields and either add a mapping or remove these unmapped fields from the profile entirely. 
  6. Choose the field from Okta you want to sync into Lattice and click Save

Whenever a user is created or updated in Okta, this table tells Okta how to source the value for a particular attribute. If these mappings are not configured correctly, you may notice that some attributes aren't syncing properly.

Configure Custom Attributes

Custom attributes created in Lattice can also be updated via Okta SCIM. To add additional custom attributes:

  1.  Within the Provisioning tab, scroll down and click on Go to Profile Editor.
  2. If you don't already have attributes for the field you want to sync, you can add new attributes by clicking Add attribute.
  3. You will then see a form to enter your values. The variable name and external name should match the name given to the attribute in Lattice, converted to camelCase. For example, a custom attribute called "Home Office" should have the following settings configured in Okta:
    • Variable name: homeOffice
    • External name: homeOffice
    • External namespace: urn:ietf:params:scim:schemas:extension:lattice:attributes:1.0:User
    • Attribute required: Not required (do not select).
    • Scope: User Personal should be selected.
  4. Save.

You have successfully configured Okta to provision users into Lattice. You must assign your users to the Lattice SCIM app; otherwise, Okta won't know which users to provision into Lattice.

Note: If users are already assigned to the Lattice app before provisioning is enabled, users will need to be unassigned the Lattice app within Okta and then reassigned for it to automatically start syncing them to Lattice.

Important to Note

Emails

Lattice does not support case-sensitive emails. Ensure that your users' emails are case-insensitive. For example: "ALICE@yourcompany.com" is treated as being equal to "alice@yourcompany.com".

Profile URL

Lattice generates a profile URL based on the user's Lattice profile. Storing external profile URLs is not supported at this time.

Display Name

If the user is created from Okta, the display name will be pulled from the user's full name. If they have a nickname in Okta, the display name will be the nickname + last name. Subsequent Okta syncs will never update the display name anymore. 

If the user is already created in Lattice before Okta sync, the display name will never be updated from Okta. Learn more about employees' Lattice Display Name.

Lattice Groups

You are not able to assign users to Lattice groups using SCIM.

Building your Org Chart

If you are looking to build out your org chart using Okta, be sure that the managerID value is the manager's email address

Okta Profile Push

Okta does not support partial profile push. During a profile update, Okta pushes the app user's full profile, including attributes that are set to Apply mapping on user create only and Do Not map. For example, if your sync includes Gender on the list of attributes, and you do not assign a Gender value for your employees, their existing Gender in Lattice will be wiped in a subsequent Okta sync.

For more information, please reference Okta's help center article.

Related articles