Okta SCIM

Configure SCIM provisioning to Panther using Okta

Overview

Panther supports managing users via System for Cross-domain Identity Management (SCIM) provisioning with Okta. SCIM is a protocol designed to manage user identity between multiple systems (such as Panther and Okta) from a single location. This allows you to manage Panther roles, update profiles, and activate or deactivate users through Okta.

Among additional limitations, take note that:

It is not possible to provision users through Panther SCIM.
It is not possible to update a user's profile in Okta before the user has completed a service provider (Panther)-initiated login. This step creates the user profile using Just In Time (JIT) provisioning.

Supported SCIM features

Update user profiles
- It's possible to update a user's given name, family name, email, and custom Panther role
Deactivate and reactivate existing users

Limitations

Provisioning (creating or importing) users is not supported. User profiles are instead created through JIT provisioning the first time a user completes a service provider (Panther)-initiated login.
It's not possible to update a user's profile in Okta before they've completed a service provider (Panther)-initiated login for the first time.
Of the available SCIM operators, Panther SCIM supports only the eq operator.
Users can only be deactivated, never deleted.
- Okta does not perform DELETE operations on user objects in a SCIM application. See Okta's reference guide for more information.
If a user is a member of multiple groups, the attributes from the group assigned first will be used.
The /Groups SCIM endpoint is not supported.
When SCIM is enabled, any changes you make to users via the Panther Console will be overwritten the next time your Okta SCIM setup syncs to Panther.

How to configure SCIM to Panther with Okta

Prerequisites

You have already completed the steps in Panther's Okta SSO instructions.
You are logged in to Panther with admin privileges.
You are an administrator in your Okta account.

Step 1: Create a new Panther API token

In the upper right corner of your Panther Console, click the gear icon. In the dropdown menu, click API Tokens.
On the API Tokens page, click Create New Token.
- Provide a Name, such as Panther-Okta-SCIM.
- Grant the token the ability to Manage Users (or UserModify if creating the token via API).
  - Note: Read User Info is an inherent permission from Manage Users.
Click Create API Token.
Copy the API token value and store it in a secure location. You will need it in the next steps.
- You will not be shown this token again after closing this page.

Step 2: Set up SCIM provisioning in your Panther Okta application

Note: Okta SSO must already be configured and enabled.

In your Okta account, navigate to the Panther application you created to enable SAML SSO.
Under General Settings, in the Provisioning field, click SCIM:
Click the Provisioning tab, then on the left side, click Integration. In the upper right side of the page, click Edit.
Edit the configuration settings with the following values:
- Authentication Mode: In the drop-down, select HTTP Header. After you select this, an HTTP Header section appears below.
  - Authorization: Paste the API token value you generated in Step 1.
- SCIM connector base URL: Enter the Tenant URL from your Panther Console.
  - To get this value: In the Panther Console, navigate to the General Settings page and select the Identity & Access tab. The Tenant URL is in the SCIM Provisioning Setup section.
- Unique identifier field for users: Enter the field that you use as a unique identifier for your users, such as email.
- Supported provisioning actions: Select Push Profile Updates.

Click Save. Okta will verify the SCIM connection to Panther.
- If an error occurs, verify the SCIM connector base URL value is the Tenant URL from your Panther Console, then try again a minute later. When using a new API token, it may take up to a minute for the token to become active.

Step 3: Configure Okta to Panther settings

After verifying the SCIM connection in the previous step, a new page will appear in Okta to configure the settings to sync from Okta to Panther.

Click the Provisioning tab. On the left side, click To App and then click Edit.
Enable the options Update User Attributes and Deactivate Users:

Step 4: Assign users and groups to the Panther application

If you have not already, assign Okta users and groups to the Panther application:
1. In Okta, click the Assignments tab.
2. Assign the Panther application to users and groups.
  - Users: Follow Okta's documentation for instructions on assigning applications to users.
  - Groups: Follow Okta's documentation for instructions on assigning applications to groups.

Step 5: (Optional) Set up Panther role management via SCIM

To manage Panther role assignments (e.g., Admin, ReadOnlyAnalyst, or one of your custom roles) in Okta, create a new attribute in the Panther User Profile in Okta with the name PantherRole.

Any values assigned to this role will sync to Panther. If you do not provide a valid role name, an error will occur and no user update will occur until a valid role name is provided.

On the To App settings page, scroll down to the Panther Attribute Mappings section. Click Go to Profile Editor.
On the Profile Editor page, click Add Attribute.
Use the following values for the new attribute. Any unlisted fields may remain unchanged.
- Data type: string
- Display name: Panther Role
- Variable name: pantherRole
- External name: pantherRole
- External namespace: urn:ietf:params:scim:schemas:core:2.0:User
Click Save.

Configure an additional attribute statement for PantherRole (in addition to the three you already configured during Okta SSO setup). This will ensure that when a user logs into Panther via Okta SSO, the user's PantherRole will sync as a SAML assertion.
1. In Okta, navigate to the General tab.
2. In the SAML Settings section, click Edit.
3. Under Attribute Statements, add a fourth attribute:
  - Name: PantherRole
  - Value: appuser.pantherRole
4. Click Continue, then Save.

Assign individuals or groups Panther roles.
This step may not be completed for a given user until they have completed a service provider (Panther)-initiated login (which creates the user profile using JIT provisioning). If you attempt to update a user profile before this, you may see errors.
- When assigning a new group or user, a prompt will appear to define which Panther role to assign to the group.
- To modify an existing entity's Panther role, click the Assignments tab, edit the user or group, and modify the Panther Role field. If no Panther Role attribute is assigned, Panther will use the default SAML role you have selected in the Panther Console.

Panther role assignments made via SCIM will not be reflected in Panther until the affected user(s) re-authenticate to Panther Console via Okta. If the changes made in Okta are not showing as having synced to Panther, please wait a few minutes and try again.

PreviousOkta SSO NextOneLogin SSO

Last updated 1 month ago