Skip to content
Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Changelog Latest product updates Docs Documentation for Probo GitHub Explore our open-source compliance tools

Okta SCIM

This guide walks you through setting up direct SCIM provisioning from Okta to automatically synchronize users into Probo.

Prerequisites

Section titled “Prerequisites”
  • Okta administrator access
  • Probo organization administrator access
  • An Okta plan that supports SCIM provisioning (Okta Lifecycle Management)

How It Works

Section titled “How It Works”

Okta pushes user changes to Probo’s SCIM 2.0 endpoint in real time. When you assign users or groups to the Probo application in Okta, it automatically:

  • Creates Probo accounts for newly assigned users
  • Updates user attributes when they change in Okta
  • Deactivates Probo accounts when users are unassigned or deactivated
  • Deletes Probo accounts when users are permanently removed (if configured)

Mapped Attributes

Section titled “Mapped Attributes”
Okta User Profile FieldSCIM AttributeNotes
userNameuserNameRequired, unique
displayNamedisplayName
givenNamename.givenName
familyNamename.familyName
nickNamenickName
activeactive
emailemails[type eq "work"].valueMulti-valued
primaryPhonephoneNumbers[type eq "work"].valueMulti-valued
titletitle
userTypeuserType
preferredLanguagepreferredLanguage
localelocale
timezonetimezone
profileUrlprofileUrl

Enterprise User Extension attributes:

Okta User Profile FieldSCIM Attribute
employeeNumberenterprise:employeeNumber
organizationenterprise:organization
departmententerprise:department
divisionenterprise:division
costCenterenterprise:costCenter
managerenterprise:manager.value

Step 1: Generate SCIM Credentials in Probo

Section titled “Step 1: Generate SCIM Credentials in Probo”

  1. Log in to Probo as an organization administrator

  2. Go to Organization Settings > Authentication > Auto-Provisioning

  3. Click Add Connector and select SCIM

  4. Copy the SCIM Endpoint URL and Bearer Token

Step 2: Create a SCIM Application in Okta

Section titled “Step 2: Create a SCIM Application in Okta”

  1. Sign in to your Okta Admin Console

  2. Go to Applications > Applications

  3. Click Browse App Catalog

  4. Search for SCIM 2.0 Test App (Header Auth) and select it

  5. Click Add Integration

  6. Enter the following:

    FieldValue
    Application labelProbo

  7. Click Next, then Done

Step 3: Configure Provisioning

Section titled “Step 3: Configure Provisioning”

  1. In the Probo application, go to the Provisioning tab

  2. Click Configure API Integration

  3. Check Enable API Integration

  4. Enter the following:

    FieldValue
    SCIM 2.0 Base URLYour Probo SCIM endpoint URL (e.g. https://your-probo-domain.com/api/connect/v1/scim/2.0)
    OAuth Bearer TokenThe bearer token from Step 1

  5. Click Test API Credentials to verify Okta can reach the Probo SCIM endpoint

  6. Click Save

Step 4: Enable Provisioning Actions

Section titled “Step 4: Enable Provisioning Actions”

  1. In the Provisioning tab, click To App in the left sidebar

  2. Click Edit

  3. Enable the following provisioning actions:

    ActionSetting
    Create Users☑️ Enabled
    Update User Attributes☑️ Enabled
    Deactivate Users☑️ Enabled

  4. Click Save

Step 5: Configure Attribute Mappings

Section titled “Step 5: Configure Attribute Mappings”

The default attribute mappings work for most setups. To review or customize them:

  1. In the Provisioning tab, scroll to Attribute Mappings
  2. Review the mappings — the defaults map Okta user profile attributes to Probo’s supported SCIM attributes
  3. Adjust mappings if needed (e.g. map employeeNumber to urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber)
  4. Click Save

Step 6: Assign Users and Groups

Section titled “Step 6: Assign Users and Groups”
  1. In the Probo application, go to the Assignments tab
  2. Click Assign > Assign to People or Assign to Groups
  3. Select the users or groups you want to provision into Probo
  4. Click Assign, then Save and Go Back
  5. Click Done

Only assigned users (or members of assigned groups) will be provisioned. This gives you fine-grained control over who gets a Probo account.

Step 7: Verify Provisioning

Section titled “Step 7: Verify Provisioning”
  1. In Okta, go to the Probo application > Provisioning tab > To App to check provisioning status
  2. Go to Reports > System Log and filter by application to see provisioning events
  3. In Probo, go to Organization Settings > Members to verify users have been provisioned
  4. Check Organization Settings > Authentication > Auto-Provisioning > Event Log for detailed SCIM events

Troubleshooting

Section titled “Troubleshooting”

Test API Credentials Fails

Section titled “Test API Credentials Fails”
  • Cause: The SCIM endpoint URL or bearer token is incorrect, or a firewall is blocking the connection
  • Solution: Verify the endpoint URL includes the full path (ending in /scim/2.0). Re-generate the bearer token in Probo if needed. Ensure your network allows outbound HTTPS from Okta to your Probo instance.

Users Not Being Provisioned

Section titled “Users Not Being Provisioned”
  • Cause: Users or groups are not assigned to the application, or provisioning actions are not enabled
  • Solution: Check that users are assigned under the Assignments tab and that Create Users is enabled under Provisioning > To App

Provisioning Errors in Logs

Section titled “Provisioning Errors in Logs”
  • Cause: Attribute mapping conflicts or missing required attributes
  • Solution: Check the System Log in Okta for specific error messages. Ensure userName is mapped to a unique, non-empty value (typically the user’s email)

Users Not Deactivated After Removal

Section titled “Users Not Deactivated After Removal”
  • Cause: Okta may still be processing the change, or Deactivate Users is not enabled
  • Solution: Verify that Deactivate Users is enabled under Provisioning > To App. Check the System Log for the deprovisioning event. For immediate effect, manually trigger a push by clicking Push Now in the application’s provisioning settings.

Duplicate Users

Section titled “Duplicate Users”
  • Cause: The userName in Okta doesn’t match an existing Probo user’s email
  • Solution: Ensure the attribute mapped to userName matches the email format used in Probo. You may need to adjust the mapping to use the user’s primary email address.

Combining with SSO

Section titled “Combining with SSO”

For the best experience, combine SCIM provisioning with SAML SSO:

  1. SCIM provisioning handles user lifecycle — creating and deactivating accounts automatically
  2. SAML SSO handles authentication — users sign in with their Okta credentials

This means users get automatic Probo accounts when they join your organization and lose access when they leave, with no manual account management needed.

Okta SSO Set up SAML SSO alongside SCIM provisioning
SCIM Overview Learn more about SCIM features and direct provisioning