Okta user synchronization

Okta user synchronization

System for Cross-domain Identity Management (SCIM) (opens in a new tab) is a standard used to automate exchanges of user identity details between identity systems or Identity Providers (IdP), like Okta. It's used to deprovision, update, and provision users.

SCIM integration helps you control user access in Chronosphere.

This document applies to existing customers using Okta who want to use SCIM. New customers can configure SCIM when moving to Chronosphere.

After migrating to SCIM, Chronosphere Support sends you a list of users not managed by SCIM. On a case-by-case basis, determine if a user should be deactivated, or if the user is still active but has a new email address. Your Chronosphere team manually remediates these issues to complete the migration process.

Setup

Setting up SCIM with Okta requires configuration in both Chronosphere and the Okta dashboard.

Prepare Chronosphere for SCIM integration

Onboarding SCIM with Okta requires a user with Okta super administrator access and a user with Chronosphere SysAdmin permissions. These accounts can be the same user.

Before proceeding with Okta integration, you must:

  1. Contact Chronosphere Support to enable SCIM integration for Okta Workforce for your application.
  2. Create a Chronosphere unrestricted service account. You must be a member of a team with the SysAdmin role to create a new service account. For the New Service Account Name, Chronosphere recommends a meaningful service account name like Okta SCIM integration.
  3. Copy the token to a safe place, as it's provided only once, and can't be displayed or recovered later.
  4. In Chronosphere, create a new, special team for the purpose of SCIM administration.
  5. Assign the User Administrator role to the team. For security, Chronosphere recommends only this team be assigned the User Admin role, and the role be specifically scoped to only have permission to communicate with the SCIM API, or have access to the service token.
  6. Add the service account user you created.

Configure SCIM integration on Okta

Your organization's Okta administrator must configure Okta provisioning integration.

Find general instructions for setting up Okta integration in the Okta documentation (opens in a new tab).

  1. Using an administrator account, sign in to the Okta app to be used for single sign-on (SSO) integration with Chronosphere.
  2. Next to your username, click Admin.
  3. In the left sidebar menu, go to Applications > Applications.
  4. In the General tab, next to Provisioning, select SCIM and then click Save.
  5. Click the Provisioning tab.
  6. Click Integration, and then click Edit.
  7. Enter information for the following fields:
    • SCIM connector base URL: https://yoursubdomain.chronosphere.io/api/scim/v2, where yoursubdomain is your Chronosphere domain prefix.
    • Unique identifier field for users: Enter email.
    • Supported provisioning actions: Select only these values:
      • Push New Users
      • Push Profile Updates
  8. For Authentication Mode, select HTTP Header.
  9. For the Authorization section's Bearer field, copy and paste the service token obtained when creating a service account in the Chronosphere console.
  10. Click Test Connector Configuration to ensure the integration configuration is correct. If you encounter an error message, review the configuration and try again.
  11. Click Save to save the configuration. The Provisioning to App page displays.
  12. Select the Enable checkboxes for Create Users and Update User Attributes.
  13. Click Save.
⚠️

You must complete both step 7 (select Push new users), and step 12 (Enable the checkbox for Create Users). Provisioning fails if either of these steps isn't completed.

Update the Chronosphere default group in Okta

After completing SCIM integration setup process and connecting to Chronosphere, sync the existing users in your Okta tenant with Chronosphere. To do this, you must first remove all assigned users and groups, and then reassign them.

  1. Sign in to Okta.
  2. Click Admin.
  3. In the left sidebar menu, go to Applications > Applications.
  4. In the Provisioning tab, clear the Deactivate Users checkbox.

    Clear this checkbox before updating the group.

  5. Navigate to the Assignments tab and then select Groups.
  6. To remove all Existing Groups, click the X icon next to each group.
  7. Click the Assign button and reassign all Existing Groups.
  8. Navigate to the Provisioning tab, and then click Edit.
  9. Select the Deactivate Users checkbox.

The SCIM integration setup is now complete and users will be provisioned and deprovisioned by Chronosphere.

Verify successful provisioning

After completing the setup process, verify the provisioning process succeeded.

  1. In Okta, navigate to Dashboard -> Tasks.
  2. Look for failed requests. These display as Application assignments encountered errors.
  3. Retry any failed requests. If failures persist, contact customer support.

It's a good practice to review for failed requests whenever deactivating users or changing users assigned to Chronosphere. Use Okta Workflows (opens in a new tab) to send notifications when provisioning or deprovisioning fails.

Deprovisioned users

When a user is deprovisioned, personal access tokens and any outstanding credentials they had from the Chronosphere app no longer work.

Group memberships remain intact, and service accounts continue to function.

Chronosphere doesn't revoke service accounts created by a given user during user deactivation. Service accounts may be used in production, and deactivating them can cause outages. This is consistent with other web services, such as Amazon Web Services and Google Cloud Platform, where service accounts are not tied to a user.