# Okta SCIM (Beta)

{% hint style="info" %}
Okta SCIM provisioning is in open beta starting with Panther version 1.75 and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## Overview

Panther supports managing users via System for Cross-domain Identity Management (SCIM) provisioning with Okta. SCIM is a standard designed to manage user identity between multiple systems (such as Panther and Okta) from a single location. This allows you to manage Panther roles, update profiles, and activate or deactivate users through Okta.

### Supported SCIM Features

* Update user profiles
  * Given name, family name, email, custom Panther role
* Activate and deactivate users

### Limitations

Note the following limitations:

* Panther SCIM only supports the `eq` filter operation.
* Users are only `deactivated`, never deleted.
* If a user is a member of multiple Groups, the attributes from the group assigned first will be used.
* The `/Groups` SCIM endpoint is not supported.
* Create / Import `Users` is not supported, as `User` profiles are created through SAML SSO the first time a `User` logs in to the Panther Console. If you change a user's profile before they have logged in for the first time, you may see an error in Okta.
* When SCIM is enabled, any changes you make to users via the Panther Console will be overwritten the next time your Okta SCIM setup syncs to Panther.

## How to configure SCIM to Panther with Okta

### Prerequisites

* [Okta SSO](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/saml/okta) must be enabled.
* You must be logged in to Panther with admin privileges.
* You must be an administrator in your Okta account.

### Step 1: Create a new Panther API Token

1. In the upper right corner of your Panther Console, click the gear icon. In the dropdown menu, click **API Tokens.**
2. On the API Tokens page, click **Create New Token.**
   * Provide a **Name**, such as `Panther-Okta-SCIM`. 
   * Grant the token the ability to **Manage Users** (or `UserModify` if creating the token via API). 
     * Note: **Read User Info** is an inherent permission from **Manage Users**.
3. Click **Create API Token**.
4. Copy the API token value and store it in a secure location. You will need it in the next steps.
   * You will not be shown this token again after closing this page.

### Step 2: Set up SCIM Provisioning in your Panther Okta application

Note: [Okta SSO](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/saml/okta) must already be configured and enabled.

1. In your Okta account, navigate to the Panther application you created to enable SAML SSO.
2. Under **General Settings**, enable the SCIM Provisioning app setting:

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2F2pQ4Gez2r1A5bUvgBYeN%2FScreenshot%202023-06-16%20at%2012.02.54%20PM.png?alt=media&#x26;token=d9a68725-9b4e-4244-8f41-d1f46a05e27c" alt="In the Okta Panther app&#x27;s general settings, SCIM provisioning is enabled." width="563"><figcaption></figcaption></figure>

3. Click the **Provisioning** tab, then on the left side, click **Integration**. In the upper right side of the page, click **Edit.**
4. Edit the configuration settings with the following values:
   * **Authentication Mode:** In the drop-down, select `HTTP Header`. After you select this, an "HTTP Header" section appears below.
     * **Authorization**: Paste the API Token value you generated in Step 1.&#x20;
   * **SCIM connector base URL**: Enter the Tenant URL from your Panther Console.&#x20;
     * To get this value: In the Panther Console, navigate to the **General Settings** page and select the **Identity & Access** tab.The **Tenant URL** is in the SCIM Provisioning Setup section.
   * **Unique identifier field for users**: Enter the field that you use as a unique identifier for your users, such as `email`.
   * **Supported provisioning actions**: Select `Push Profile Updates`.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FJhJX4AnqhVm70d7fN1k1%2FPanther-SCIM-Okta-Settings.png?alt=media&#x26;token=929840ad-6156-46cc-9f69-d6ebb9c8be3e" alt="In Okta, the SCIM Connection form is filled out." width="563"><figcaption></figcaption></figure>

3. Click **Save**. Okta will verify the SCIM connection to Panther.&#x20;
   * If an error occurs, verify the **SCIM connection URL** value is the **Tenant URL** from your Panther Console, then try again a minute later. When using a new API token, it may take up to a minute for the token to become active.

## Step 3: Configure Okta to Panther Settings

After verifying the SCIM connection in the previous step, a new page will appear in Okta to configure the settings to sync from Okta to Panther.&#x20;

1. Click the **Provisioning** tab. On the left side, click **To App** and then click **Edit**.
2. Enable the options **Update User Attributes** and **Deactivate Users**:<br>

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FbKXYT2rlTi6VYcVPrHBx%2FPanther-SCIM-Okta-enable-settings.png?alt=media&#x26;token=1fe45fee-ab5c-49d1-9adb-cf6f9ddb2230" alt="In Okta, the settings up &#x22;Update User Attributes&#x22; and &#x22;Deactivate Users&#x22; are enabled." width="563"><figcaption></figcaption></figure>
3. If you want to configure settings to automatically assign Panther roles, go to the next section. Otherwise, click **Save** and move on to [Step 4: Assign users to Panther](#step-4-assign-users-to-panther).

#### Optional: Automatically assign a Panther role

To automatically assign a Panther role (e.g., Admin, ReadOnlyAnalyst, or one of your custom roles) to a user, create a new attribute in the Panther User Profile in Okta with the name `PantherRole`. This attribute can also be used as an Attribute Statement for SAML assertion when configuring SSO (see step 5 below).

Any values assigned to this role will sync to Panther. If you do not provide a valid role name, an error will occur and no user update will occur until a valid role name is provided.

1. On the **To App** settings page, scroll down to the **Panther Attribute Mappings** section. Click **Go to Profile Editor**.\
   ![Under "Panther Attribute Settings" in Okta, there is a button labeled "Go to profile editor."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FNJXmKtKu768ku2uBTw4c%2FScreenshot%202023-06-15%20at%202.33.48%20PM.png?alt=media\&token=17cea569-dde5-4e41-a01d-9c420b8bd2fd)
2. On the **Profile Editor** page, click **Add Attribute**
3. Use the following values for the new attribute. Any unlisted fields may remain unchanged.
   * **Data type**: `string`
   * **Display name**: `Panther Role`
   * **Variable name**: `pantherRole`
   * **External name**: `pantherRole`
   * **External namespace**: `urn:ietf:params:scim:schemas:core:2.0:User`
4. Click **Save**.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FsNOLv4a4An5w2dTIsl7c%2FScreenshot%202023-06-15%20at%202.40.16%20PM.png?alt=media&#x26;token=886490d4-09ac-44a6-b926-e17297f214f4" alt="The &#x22;Add attribute&#x22; form in Okta is filled out." width="338"><figcaption></figcaption></figure>

5. While it is not required, we recommend you configure an additional attribute statement for `PantherRole` (in addition to the [three you already configured during Okta SSO setup](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/system-configuration/saml/okta/..#create-the-okta-app)). This will ensure that when a user logs into Panther via Okta SSO, the user's `PantherRole` will sync as a SAML assertion.&#x20;
   1. In Okta, navigate to the **General** tab.
   2. In the **SAML Settings** section, click **Edit**.
   3. Under **Attribute Statements**, add a fourth attribute:
      * **Name**: `PantherRole`
      * **Value**:  `appuser.pantherRole`
   4. Click **Continue**, then **Save**.

<figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FAEWpu7fyd7KpnWR7kE7T%2FScreenshot%202023-06-27%20at%2012.00.13%20PM.png?alt=media&#x26;token=8770eb5a-faa4-4b3c-85f0-70da9dba00da" alt="The Attribute Statements section of Okta is shown, with four attributes: PantherEmail, PantherFirstName, PantherLastName, and PantherRole" width="529"><figcaption></figcaption></figure>

### Step 4: Assign users to Panther

1. In Okta, click the **Assignments** tab.
2. Assign the Panther application to users and groups.&#x20;
   * Users: Follow Okta's documentation for [instructions on assigning applications to users](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-assign-apps.htm).
   * Groups: Follow Okta's documentation for [instructions on assigning applications to groups](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-assign-app-group.htm).

If you set up the optional `PantherRole` in [Step 3](#step-3-configure-okta-to-panther-settings), you may assign individuals or groups Panther roles:

* When assigning a new group or user, a prompt will appear to define which Panther role to assign to the group.&#x20;
* To modify an existing entity's Panther role, click the **Assignments** tab, edit the user or group, and modify the `Panther Role` field. If no `Panther Role` attribute is assigned, Panther will use the default SAML role you have selected in the Panther console.

If you do not see changes sync to Panther, please wait a few minutes then try again.