> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Walkthrough for Okta Connection Setup via OpenID SCIM

# Inbound SCIM for Okta Workforce Connections

<Card title="Before you start">
  Enable Okta Workforce Identity as an identity provider by following the instructions on the [Identity Providers help page](/docs/authenticate/identity-providers/enterprise-identity-providers/okta).

  This integration will require two applications to be registered in Okta Workforce: the OpenID Connect integration and the SCIM integration. The same users and groups must be assigned to both. To eliminate this requirement and streamline the setup process for your customers, [submit your app to the Okta Integration Network](https://developer.okta.com/docs/guides/submit-app-overview/).
</Card>

This section describes how to configure a custom <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect and SCIM app integration in an Okta Workforce Identity tenant, which can be used to provision users to your Auth0 SCIM endpoint.

For information on configuring a <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> and SCIM integration with Okta Workforce Identity, read [Inbound SCIM for Okta Workforce SAML Connections](/docs/authenticate/protocols/scim/inbound-scim-for-okta-workforce-saml-connections) instead.

## Configure SCIM settings in Auth0

1. Launch the [Auth0 Dashboard](https://manage.auth0.com/#/) and go to the **Authentication > Enterprise > Okta Workforce > \[your-connection] > Provisioning.**

2. Disable **Sync user profile attributes at each login** unless you want to [sync additional attributes at login](/docs/authenticate/protocols/scim/configure-inbound-scim).

3. In the same section, enable **Sync user profiles using SCIM**.

4. On the **Mapping** tab, ensure the **SCIM attribute containing the User ID** is set to **externalId**.

You can also check **Additional Mappings** to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes.

## Retrieve SCIM endpoint URL and token

1. In the Auth0 dashboard, browse to the SCIM **Setup** tab and copy the **SCIM Endpoint URL,** then paste it somewhere safe.

2. Select **Generate New Token** and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default requires scopes used by Okta Workforce are `get:users`, `post:users`, and `put:users`. You may optionally select `get:groups`, `post:groups`, `put:groups`, `patch:groups`, and `delete:groups` to provision groups.

## Configure SCIM in Okta Workforce for OIDC Apps

1. Confirm that an OpenID Connect application [has already been registered](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) in the Okta Workforce tenant for OIDC-based user authentication.

2. Confirm that your OpenID Connect application has [disabled Federation Broker Mode](https://help.okta.com/en-us/content/topics/apps/apps-fbm-main.htm).

3. Register a second application in the Okta portal by selecting **Applications > Browse App Catalog**, search for **(OAuth Bearer Token) Governance with SCIM 2.0**, and select **Add Integration**. Set an **Application label**, check **Do not display application icon to users**, uncheck **Browser plugin auto-submit**, then select **Next** and **Done**.

4. From the integration's settings page, select the **Provisioning** tab, then **Configure API Integration**. Check **Enable API Integration**. Copy the **SCIM Endpoint URL** from the Auth0 Dashboard **Setup** tab and paste it into the **SCIM 2.0 Base URL** field, removing any trailing forward slash. In the Auth0 Dashboard, select **Generate New Token > Generate Token > Copy and Close**, then paste the token into the **OAuth Bearer Token** field in Okta. Optionally select **Test API Credentials**, then select **Save**.

5. Next to **Provisioning To App**, select **Edit**. Enable only: **Create Users**, **Update User Attributes**, and **Deactivate Users**. Uncheck **Set password when creating new users**, then select **Save**.

6. Under **Attribute Mappings**, use the **X** button to delete these lines, which can cause issues during `PUT` operations:

   | Attribute          | Value                                                                    |
   | ------------------ | ------------------------------------------------------------------------ |
   | Primary email type | `(user.email != null && user.email != '') ? 'work' : ''`                 |
   | Primary phone type | `(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''`   |
   | Address type       | `(user.streetAddress != null && user.streetAddress != '') ? 'work' : ''` |

   Optionally configure additional SCIM attributes to send from Okta to your SCIM endpoint.

7. Use the **Assignments** tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     The same groups and users must be assigned to both the SSO app instance and the SCIM app instance in Okta.
   </Callout>

8. To push groups, select the **Push Groups** tab, find and select the group to push, then select **Save**. This provisions the full group object to Auth0. For more information on the relationship between Group Push and assignments, read [Okta's App assignments and Group Push documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-group-push-main.htm).