> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Walkthrough for Okta Connection Setup via SAML SCIM

# Inbound SCIM for Okta Workforce SAML Connections

<Card title="Before you start">
  Create a [SAML Connection](/docs/authenticate/identity-providers/enterprise-identity-providers/saml) in your Auth0 tenant and [connect it to a corresponding custom SAML application](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm) in your Okta Workforce Identity Dashboard.
</Card>

This section describes how to configure a custom <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> and SCIM app integration in an Okta Workforce Identity tenant, which can be used to provision users to your Auth0 SCIM endpoint.

## Configure SCIM settings in Auth0

1. Launch the [Auth0 Dashboard](https://manage.auth0.com/#/) and go to **Authentication > Enterprise > SAML > \[Connection] > Provisioning.**

2. Disable **Sync user profile attributes at each login** unless you want to [sync additional attributes at login](/docs/authenticate/protocols/scim/configure-inbound-scim).

3. In the same section, enable **Sync user profiles using SCIM**.

4. Under the **Mapping** tab, ensure the **SCIM attribute containing the User ID** setting is set to **userName**.

5. Review the **Additional Mappings** to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes, reviewing [attribute mapping](/docs/authenticate/protocols/scim/configure-inbound-scim#attribute-mapping) for details. If you receive phone numbers and physical addresses, note that Okta Workforce sends these as `phoneNumbers[primary eq true].value` and `addresses[primary eq true].*` by default.

6. Map the SCIM `userName` attribute to the Auth0 `email` attribute so Okta can [find and match existing users](https://developer.okta.com/docs/reference/scim/scim-20/) if this connection has already been deployed to production using the email address as the login ID and no Auth0 `username` attribute is set on the existing user profiles. In **Additional Mappings** find the following attribute pair:

   ```json lines theme={null}
   {
       "scim": "userName",
       "auth0": "username"
     }
   ```

   Replace it with the one below, then remove the mapping to `emails[primary eq true].value`.

   ```json lines theme={null}
   {
       "scim": "userName",
       "auth0": "email"
     }
   ```

7. Choose **Save Changes.**

## Retrieve SCIM endpoint URL and token

1. In the Auth0 dashboard, browse to the SCIM **Setup** tab and copy the **SCIM Endpoint URL,** then paste it somewhere safe.
2. Select **Generate New Token** and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default scopes used by Okta Workforce are `get:users`, `post:users`, and `put:users`. You may optionally select `get:groups`, `post:groups`, `put:groups`, `patch:groups`, and `delete:groups` to provision groups.

## Configure SCIM in Okta Workforce for SAML Apps

There are two ways to configure SCIM provisioning in Okta. Choose the method that matches your connection type and group size requirements:

| Method                        | Description                                                                                                                                                                                                            | Considerations                                                                                                 |
| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| **SAML application**          | Uses the existing **Provisioning** tab for SAML applications in Okta. This method does not support the `PATCH` for groups, limiting the maximum group members to what can be sent in a single `POST` or `PUT` request. | Appropriate for pushing users. Does not support pushing groups with more than 10,000 members.                  |
| **SCIM template application** | Uses a SCIM 2.0 template app in Okta that supports the SCIM `PATCH` method with groups. Required for pushing groups over 10,000 members.                                                                               | Works alongside existing SAML or OIDC SSO integrations. Supports pushing groups with more than 10,000 members. |

### Okta SAML application

1. Go to your Okta Workforce Identity SAML application, select the **General** tab, then choose **Edit** for **App Settings.**

2. In the **Provisioning** section, select **SCIM** and then **Save**.

3. Under the **General** tab, also confirm that [Federation Broker Mode](https://help.okta.com/en-us/content/topics/apps/apps-fbm-main.htm) is disabled.

4. Select the **Provisioning** tab, then go to **Integration** tab and select **Edit**.

5. Enter the **SCIM Endpoint URL** value you copied earlier into the **SCIM connector base URL** section.

6. For **Unique identifier field for users**, enter **userName**.

7. Under **Supported provisioning actions**, select `Push New Users`, `Push Profile Updates`, and optionally `Push Groups`. Choose **HTTP Header** as the **Authentication Mode.**

8. Paste the SCIM token into the **Authorization** field, then choose **Test Connection Configuration** if you want to test the new connection. Select **Save**.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/4kEFIeW8qbRqGb46KYuXJH/067213e99fbca35baab9bb104d1047f3/supersaas.jpg" alt="Inbound SCIM WIC Configuration" />
   </Frame>

9. Browse to **Provisioning > Settings > To App** and choose **Edit,** then enable the **Create Users, Update User Attributes,** and **Deactivate users** operations. Select **Save**.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/4RXROJ4amD4TpY3ozDg6wV/03c11b7ea8354a033b64d2df4f6360be/supersaasprovisioning.jpg" alt="" />
   </Frame>

10. Under the **Attribute Mappings** section, use the **X** button to **delete** the following lines:

| Attribute          | Value                                                                    |
| ------------------ | ------------------------------------------------------------------------ |
| Primary email type | `(user.email != null && user.email != '') ? 'work' : ‘'`                 |
| Primary phone type | `(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'`   |
| Address type       | `(user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'` |

Use the **Attribute Mappings** section to configure any additional SCIM attributes you want Okta to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read [Okta's help section](https://support.okta.com/help/s/article/Receiving-Invalid-externalNamespace-task-error-when-assigning-a-user-to-a-SCIMenabled-application).

11. Use the **Assignments** tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.

12. To push groups, select the **Push Groups** tab, find and select the group to push, then select **Save**. For more information, read [Okta's App assignments and Group Push documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-group-push-main.htm).

### Okta SCIM template application

1. In the Okta portal, select **Applications > Browse App Catalog**, search for **(OAuth Bearer Token) Governance with SCIM 2.0**, and select **Add Integration**. Set an **Application label**, check **Do not display application icon to users**, uncheck **Browser plugin auto-submit**, then select **Next** and **Done**.

2. From the integration's settings page, select the **Provisioning** tab, then **Configure API Integration**. Check **Enable API Integration**. Copy the **SCIM Endpoint URL** from the Auth0 Dashboard **Setup** tab and paste it into the **SCIM 2.0 Base URL** field, removing any trailing forward slash. In the Auth0 Dashboard, select **Generate New Token > Generate Token > Copy and Close**, then paste the token into the **OAuth Bearer Token** field in Okta. Optionally select **Test API Credentials**, then select **Save**.

3. Next to **Provisioning To App**, select **Edit**. Enable only: **Create Users**, **Update User Attributes**, and **Deactivate Users**. Uncheck **Set password when creating new users**, then select **Save**.

4. Under **Attribute Mappings**, use the **X** button to delete these lines, which can cause issues during `PUT` operations:

   | Attribute          | Value                                                                    |
   | ------------------ | ------------------------------------------------------------------------ |
   | Primary email type | `(user.email != null && user.email != '') ? 'work' : ''`                 |
   | Primary phone type | `(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''`   |
   | Address type       | `(user.streetAddress != null && user.streetAddress != '') ? 'work' : ''` |

   Optionally configure additional SCIM attributes to send from Okta to your SCIM endpoint.

5. Use the **Assignments** tab to assign users and/or groups to your application. Assigning a group provisions its users into your Auth0 tenant.

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     The same groups and users must be assigned to both the SSO app instance and the SCIM app instance in Okta.
   </Callout>

6. To push groups, select the **Push Groups** tab, find and select the group to push, then select **Save**. This provisions the full group object to Auth0. For more information on the relationship between Group Push and assignments, read [Okta's App assignments and Group Push documentation](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-group-push-main.htm).