OBSERVABILITY PLATFORM
Okta user synchronization

Okta user synchronization

System for Cross-domain Identity Management (SCIM) (opens in a new tab) is a standard used to automate exchanges of user identity details between identity systems or Identity Providers (IdP), like Okta. It's used to deprovision, update, and provision users.

SCIM integration helps you control user access in Chronosphere Observability Platform.

This document applies to existing customers using Okta who want to use SCIM. New customers can configure SCIM when moving to Observability Platform.

After migrating to SCIM, Chronosphere Support sends you a list of users not managed by SCIM. On a case-by-case basis, determine if a user should be deactivated, or if the user is still active but has a new email address. Your Chronosphere team manually remediates these issues to complete the migration process.

Setup

Setting up SCIM with Okta requires configuration in both Observability Platform and the Okta dashboard.

Prepare Observability Platform for SCIM integration

Setting up SCIM with Okta requires a user with Okta super administrator access and a user with Observability Platform SysAdmin permissions. These accounts can be the same user.

Before proceeding with Okta integration, you must:

  1. Contact Chronosphere Support to enable SCIM integration for Okta Workforce for your application.
  2. Create an unrestricted service account in Observability Platform. You must be a member of a team with the SysAdmin role to create a new service account. For the New Service Account Name, Chronosphere recommends a meaningful service account name like Okta SCIM integration.
  3. Copy the token to a safe place, as it's provided only once, and can't be displayed or recovered later.
  4. In Observability Platform, create a new, distinct team for the purpose of SCIM administration.
  5. Assign the User Administrator role to the team. For security, Chronosphere recommends only this team be assigned the User Admin role, and the role be specifically scoped to only have permission to communicate with the SCIM API, or have access to the service token.
  6. Add the service account user you created.

Configure SCIM integration on Okta

Your organization's Okta administrator must configure Okta provisioning integration.

Find general instructions for setting up Okta integration in the Okta documentation (opens in a new tab).

  1. Using an administrator account, sign in to the Okta app to be used for single sign-on (SSO) integration with Observability Platform.
  2. Next to your username, click Admin.
  3. In the left sidebar menu, go to Applications > Applications.
  4. In the General tab, next to Provisioning, select SCIM and then click Save.
  5. Click the Provisioning tab.
  6. Click Integration, and then click Edit.
  7. Enter information for the following fields:
    • SCIM connector base URL: https://ADDRESS.chronosphere.io/api/scim/v2, where ADDRESS is your company name prefixed to your Observability Platform instance.
    • Unique identifier field for users: Enter email.
    • Supported provisioning actions: Select only these values:
      • Push New Users
      • Push Profile Updates
  8. For Authentication Mode, select HTTP Header.
  9. For the Authorization section's Bearer field, copy and paste the service token obtained when creating a service account in the Observability Platform console.
  10. Click Test Connector Configuration to ensure the integration configuration is correct. If you encounter an error message, review the configuration and try again.
  11. Click Save to save the configuration. The Provisioning to App page displays.
  12. Select the Enable checkboxes for Create Users and Update User Attributes.
  13. Click Save.
⚠️

You must complete both step 7 (select Push new users), and step 12 (Enable the checkbox for Create Users). Provisioning fails if either of these steps isn't completed.

Update the Observability Platform default group in Okta

After completing SCIM integration setup process and connecting to Observability Platform, sync the existing users in your Okta tenant with Observability Platform. To do this, you must first remove all assigned users and groups, and then reassign them.

  1. Sign in to Okta.
  2. Click Admin.
  3. In the left sidebar menu, go to Applications > Applications.
  4. In the Provisioning tab, clear the Deactivate Users checkbox.

    Clear this checkbox before updating the group.

  5. Navigate to the Assignments tab and then select Groups.
  6. To remove all Existing Groups, click the X icon next to each group.
  7. Click the Assign button and reassign all Existing Groups.
  8. Navigate to the Provisioning tab, and then click Edit.
  9. Select the Deactivate Users checkbox.

The SCIM integration setup is now complete and users will be provisioned and deprovisioned by Observability Platform.

Verify successful provisioning

After completing the setup process, verify the provisioning process succeeded.

  1. In Okta, navigate to Dashboard -> Tasks.
  2. Look for failed requests. These display as Application assignments encountered errors.
  3. Retry any failed requests. If failures persist, contact Chronosphere Support.

It's a good practice to review for failed requests whenever deactivating users or changing users assigned to Observability Platform. Use Okta Workflows (opens in a new tab) to send notifications when provisioning or deprovisioning fails.

Deprovisioned users

When a user is deprovisioned, personal access tokens and any outstanding credentials they had from Observability Platform no longer work.

Group memberships remain intact, and service accounts continue to function.

Observability Platform doesn't revoke service accounts created by a given user during user deactivation. Service accounts can be used in production, and deactivating them can cause outages. This is consistent with other web services, such as Amazon Web Services and Google Cloud Platform, where service accounts aren't tied to a user.