# Okta SCIM
## Overview
Panther supports managing users via [System for Cross-domain Identity Management (SCIM)](https://scim.cloud/) with Okta. SCIM is a protocol designed to manage user identity between multiple systems (such as Panther and Okta) from a single location. This allows you to manage Panther roles, update profiles, and activate or deactivate users through Okta.
{% hint style="warning" %}
While Panther does not support user provisioning via SCIM, users *can* be automatically created using the [Okta SSO](https://docs.panther.com/system-configuration/saml/okta) integration via Just-In-Time (JIT) provisioning. This means that after a user is assigned the Panther application in Okta, they will be created in Panther at the time of their first Panther login. (SCIM provisioning would mean instead that the user is created in Panther by Okta proactively.)
{% endhint %}
### Supported SCIM features
SCIM can manage the following for existing Panther users:
* **Profile updates:** A user's given name, family name, email, and custom Panther role
* **User status**: Deactivate and reactivate existing users
### Limitations
**User provisioning:**
* Panther user profiles are created through JIT provisioning the first time they log into Panther via Okta SSO.
* Panther does not support creating new users via SCIM.
* Importing existing users is not supported.
* You cannot update a user's profile in Okta before their first Panther login.
**User management:**
* Users can only be deactivated, not deleted. Okta does not perform DELETE operations on SCIM user objects. See [Okta's documentation](https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-20/#delete-users) for details.
* Only the `eq` operator is supported for SCIM queries.
**Groups and roles:**
* The `/Groups` SCIM endpoint is not supported.
* If a user belongs to multiple groups, attributes from the first assigned group take precedence.
{% hint style="warning" %}
When SCIM is enabled, changes made to users directly in Panther Console will be overwritten during the next Okta sync.
{% endhint %}
### SCIM workflow
1. [Configure Okta SSO for Panther](https://docs.panther.com/system-configuration/saml/okta).
2. [Configure SCIM to Panther with Okta](#how-to-configure-scim-to-panther-with-okta).
3. [Assign users to the Panther application in Okta](#step-4-assign-users-and-groups-to-the-panther-application).
4. Users log in to Panther via Okta SSO, which creates their profile via JIT provisioning.
5. Okta SCIM manages profile updates, roles, and user status.
## How to configure SCIM to Panther with Okta
### Prerequisites
* You have already completed the steps in Panther's [Okta SSO](https://docs.panther.com/system-configuration/saml/okta) instructions.
* You are logged in to Panther with admin privileges.
* You are an administrator in your Okta account.
### Step 1: Create a new Panther API token
1. In the upper right corner of your Panther Console, click the gear icon. In the dropdown menu, click **API Tokens.**
2. On the API Tokens page, click **Create New Token.**
* Provide a **Name**, such as `Panther-Okta-SCIM`.
* Grant the token the ability to **Manage Users** (or `UserModify` if creating the token via API).
* Note: **Read User Info** is an inherent permission from **Manage Users**.
3. Click **Create API Token**.
4. Copy the API token value and store it in a secure location. You will need it in the next steps.
* You will not be shown this token again after closing this page.
### Step 2: Set up SCIM provisioning in your Panther Okta application
Note: [Okta SSO](https://docs.panther.com/system-configuration/saml/okta) must already be configured and enabled.
1. In your Okta account, navigate to the Panther application you created to enable SAML SSO.
2. Under **General Settings**, in the **Provisioning** field, click **SCIM**:
3. Click the **Provisioning** tab, then on the left side, click **Integration**. In the upper right side of the page, click **Edit.**
4. Edit the configuration settings with the following values:
* **Authentication Mode:** In the drop-down, select `HTTP Header`. After you select this, an **HTTP Header** section appears below.
* **Authorization**: Paste the API token value you generated in Step 1.
* **SCIM connector base URL**: Enter the **Tenant URL** from your Panther Console.
* To get this value: In the Panther Console, navigate to the **General Settings** page and select the **Identity & Access** tab. The **Tenant URL** is in the **SCIM Provisioning Setup** section.
* **Unique identifier field for users**: Enter the field that you use as a unique identifier for your users, such as `email`.
* **Supported provisioning actions**: Select `Push Profile Updates`.
3. Click **Save**. Okta will verify the SCIM connection to Panther.
* If an error occurs, verify the **SCIM connector base URL** value is the **Tenant URL** from your Panther Console, then try again a minute later. When using a new API token, it may take up to a minute for the token to become active.
### Step 3: Configure Okta to Panther settings
After verifying the SCIM connection in the previous step, a new page will appear in Okta to configure the settings to sync from Okta to Panther.
1. Click the **Provisioning** tab. On the left side, click **To App** and then click **Edit**.
2. Enable the options **Update User Attributes** and **Deactivate Users**:
### Step 4: Assign users and groups to the Panther application
{% hint style="warning" %}
**Note:** Newly assigned users must complete their first Panther login via Okta SSO before SCIM can manage their profiles.
{% endhint %}
If you have not already, assign Okta users and groups to the Panther application:
1. In Okta, click the **Assignments** tab.
2. Assign the Panther application to users and groups.
* Users: Follow Okta's documentation for [instructions on assigning applications to users](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-assign-apps.htm).
* Groups: Follow Okta's documentation for [instructions on assigning applications to groups](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-assign-app-group.htm).
### Step 5: (Optional) Set up Panther role management via SCIM
To manage Panther role assignments (e.g., Admin, ReadOnlyAnalyst, or one of your custom roles) in Okta, create a new attribute in the Panther User Profile in Okta with the name `PantherRole`.
Any values assigned to this role will sync to Panther. If you do not provide a valid role name, an error will occur and no user update will occur until a valid role name is provided.
1. On the **To App** settings page, scroll down to the **Panther Attribute Mappings** section. Click **Go to Profile Editor**.\
2. On the **Profile Editor** page, click **Add Attribute**.
3. Use the following values for the new attribute. Any unlisted fields may remain unchanged.
* **Data type**: `string`
* **Display name**: `Panther Role`
* **Variable name**: `pantherRole`
* **External name**: `pantherRole`
* **External namespace**: `urn:ietf:params:scim:schemas:core:2.0:User`
4. Click **Save**.
5. Configure an additional attribute statement for `PantherRole` (in addition to the three you already [configured during Okta SSO setup](https://docs.panther.com/system-configuration/saml/okta/..#step-2-create-the-panther-application-in-okta)). This will ensure that when a user logs into Panther via Okta SSO, the user's `PantherRole` will sync as a SAML assertion.
1. In Okta, navigate to the **General** tab.
2. In the **SAML Settings** section, click **Edit**.
3. Under **Attribute Statements**, add a fourth attribute:
* **Name**: `PantherRole`
* **Value**: `appuser.pantherRole`
4. Click **Continue**, then **Save**.
6. Assign individuals or groups Panther roles.
{% hint style="warning" %}
This step may not be completed for a given user until they have completed a service provider (Panther)-initiated login (which creates the user profile using JIT provisioning). If you attempt to update a user profile before this, you may see errors.
{% endhint %}
* When assigning a new group or user, a prompt will appear to define which Panther role to assign to the group.
* To modify an existing entity's Panther role, click the **Assignments** tab, edit the user or group, and modify the `Panther Role` field. If no `Panther Role` attribute is assigned, Panther will use the default SAML role you have selected in the Panther Console.
{% hint style="warning" %}
Panther role assignments made via SCIM will not be reflected in Panther until the affected user(s) re-authenticate to Panther Console via Okta. If the changes made in Okta are not showing as having synced to Panther, please wait a few minutes and try again.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/system-configuration/saml/okta/okta-scim.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
