Objective
This configuration guide describes the feature capabilities of the SCIM integration between 8x8 and Okta for enterprise users and telephony service management, and step-by-step illustration of how to configure the integration.
Important: Okta SCIM management of Admin Console users requires that those users be created in Okta, first, and then synced to Admin Console.In this case, any existing users created from Admin Console must first be deleted, and then recreated from Okta.Note that Okta SSO login will work for Admin Console users regardless of where the user account was initiated.
Applies To
- Admin Console
- 8x8 SCIM
- Okta
Procedure
Integration Prerequisites
- Log in to Admin Console.
- Click Identity Management.
- Check Single Sign on (SSO).
- Select Okta from the Select SSO Provider list.
- In OKTA SAML Settings, configure the following fields:
- Fill in the IDP Login URL
- Fill in the IDP Issuer URL/URN
- Upload your Okta certificate to the Certificate in use field.
- These can be obtained from the SAML 2.0 View Setup Instructions page under the Okta Sign-on tab within the 8x8 app in Okta (search 8x8, Inc. from the list of applications).
- These can be obtained from the SAML 2.0 View Setup Instructions page under the Okta Sign-on tab within the 8x8 app in Okta (search 8x8, Inc. from the list of applications).
- In Okta User Provisioning, click Show user provisioning information to expand the section.
- Copy the following information provided for SCIM user provisioning from Okta:
- 8x8 URL
- 8x8 API Token
- Click Save to preserve your configuration. The 8x8 API Token will change if you do not Save, or if you clear the Identity Management configuration.
- If opting to sync telephony configuration back from 8x8 into Okta, you are also required to provide the URL to your Okta instance and Okta token in the Okta Sync Back Information section.
- To get the Okta token, navigate to Security > API within Okta, click Okta API - Create New Token, and provide a token name as shown in the example below: SCIM Integration.
- Copy the generated Okta token.
- Input your Okta URL (e.g., https://company.oktapreview.com) and Okta token into the respective Okta Sync Back Information fields, as shown in the example below.
- To get the Okta token, navigate to Security > API within Okta, click Okta API - Create New Token, and provide a token name as shown in the example below: SCIM Integration.
- Save changes made to the Identity Management page.
- Add the 8x8 application to the list of apps used by the company. For this, login to Okta and navigate to Admin - Applications, search for 8x8 and select the 8x8 Inc app that has both SAML and SCIM provisioning.
- Once added, the 8x8 app will be available in your application list.
- Click on the 8x8 inc app.
- In the Provisioning tab, click enable provisioning.
- Add the 8x8 SCIM service URL and 8x8 token from step 4 (copy the values over).
- Test API credentials to make sure connectivity to the SCIM Service is successful.
Setting up the Integration between 8x8 and Okta
This section describes how the integration works between the 8x8 SCIM app and Okta.
User Import
Keep enabled. This is needed for telephony system attribute updates to get synced back into Okta from 8x8. This is currently supported with a polling interval that can be changed if needed.
Create Users
This will enable users to be provisioned into the 8x8 system This can be done with:
- User (People) Assignment
- User assignment within Groups
Update User Attributes
Changes to user profile attributes in Okta will be propagated to 8x8 automatically.
Deactivate Users
Users in 8x8 will be suspended automatically.
To enable the integration, attribute mappings between Okta and 8x8 will need to be configured. These are readily pre-configured with your 8x8 SCIM app. Following are the minimum set of attributes that are needed for a user to be automatically synced into 8x8.
From: Okta |
To: 8x8 |
---|---|
user.username |
username |
user.firstName |
givenName |
user.lastName |
familyName |
user.email |
email |
Post Configuration Steps
All user profiles that have been synced from Okta into 8x8 are now visible in the Admin Console user list page. For these users, an administrator will be able to assign licenses and configure services, after which these users may place or receive calls using their hardware endpoints or softphones (VOD/VOM), and avail of 8x8’s telephony services. End users with VOD/VOM will also have the ability to single sign-on into Okta from the softphone login page, before being able to leverage these advanced capabilities.
Additional Information
For more instructions, see the 8x8 Integration with Okta help guide.
Features
Features of the 8x8 SCIM integration include:
- Automatic sync of Active Directory (AD) users and groups from Okta into 8x8
- New standalone user creation
- New user creation within Okta Groups
- User updates
- User deactivation
- Telephony service enablement for users with Admin Console
- Reverse sync of telephony information from 8x8 back to Okta
- Primary extension
- Phone number
- Single sign-on of users into Okta from 8x8 softphone, i.e., 8x8 Work Desktop (VOD), 8x8 Work Mobile (VOM)
Limitations
- SCIM management of 8x8 users is only available to Admin Console accounts. It is not compatible with Account Manager. However, basic Okta SSO authentication with 8x8 will work on either platform.
- Okta SCIM management of Admin Console users requires that those users be created in Okta, first, and then synced to Admin Console.
- Sync of groups from Okta to 8x8 is not available with the integration (however, sync of users within groups is available).
- Any updates to existing usernames in Okta, for users that have already been synced, are not propagated to Federation ID in the 8x8 system.
- In the Admin Console Identity Management page, after entering the fields under Send Telephony System Updates, clicking Generate 8x8 Secret and saving the changes, the fields appear blank due to a known UI bug, even though data is correctly persisted.
- Federation ID is not visible in the Admin Console user page after user provisioning, although it is correctly persisted.
- Okta URL and Okta token are mandatory to configure in Admin Console Identity Management page, if opting to sync back extension and phone number into Okta, even while using the Okta Import feature.