Okta's On-Premises Provisioning Agent support for SCIM 2.0? Skip to main content
https://support.okta.com/help/answers?id=9062a000000xamtqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
George AlexGeorge Alex 

Okta's On-Premises Provisioning Agent support for SCIM 2.0?

Does Okta's On-Premises Provisioning Agent support SCIM 2.0? And if not, when will it be supported?
Valeriu HudeaValeriu Hudea (Okta, Inc.)
Hello Alex, 

Yest it does , the On-prem agent flow goes through a SCIM endpoint/server/connector and connects to a on premise application/SCIM enabled app , we have a deployment guide summarizing this flow and a guide for establishing this flow , there are many aspects of this integration and the configuration can be pretty heavy, but with Okta SDK's you can test out the flow in a pretty straight forward manner : 
https://support.okta.com/help/Documentation/Knowledge_Article/46749316-On-Premises-Provisioning-Deployment-Guide 
This would a be step by step guide through the architecture. 

We have guides on the SCIM connectors in regards to this flow with java (https://developer.okta.com/okta-sdk-java/apidocs/): 
https://support.okta.com/help/Documentation/Knowledge_Article/30504778-Building-SCIM-Connectors 

SCIM server guide : 
https://support.okta.com/help/Documentation/Knowledge_Article/30093436-Creating-SCIM-Connectors 

Another view of the On Prem Provisioning aspects : 
https://support.okta.com/help/Documentation/Knowledge_Article/29448976-Configuring-On-Premises-Provisioning (http://​https://support.okta.com/help/Documentation/Knowledge_Article/29448976-Configuring-On-Premises-Provisioning

The summarized configuration would be something like this : 
1) JAVA : sudo yum install java-1.7.0-openjdk ( compatible version) 

2) MAVEN : 1) sudo wget https://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo

           2) sudo sed -i s/\$releasever/6/g /etc/yum.repos.d/epel-apache-maven.repo

           3) sudo yum install -y apache-maven

           4) mvn --version
(simplified Maven install ) 

3) OKTA SDK Connector : wget https://ORGName.okta.com/static/toolkits/Okta-Provisioning-Connector-SDK-01.02.03.zip (latest connector SDK check for availability ) 
   OKTA OPP AGENT rm  : wget https://ORGname.okta.com/static/agents/ProvisioningAgent/OktaProvisioningAgent-01.02.02.x86_64.rpm ( check for availability ) 

sudo unzip Okta-Provisioning-Connector-SDK-01.02.03.zip

yum localinstall OktaProvisioningAgent-01.02.02.x86_64.rpm

sudo /opt/OktaProvisioningAgent/configure_agent.sh


4) Building Connector with MAVEN : follow steps to build the example-server.

Locate the /lib/scim-server-sdk jar file from the SDK root directory.

Install it locally with the following Maven command.

mvn install:install-file -Dfile=<PATH TO THE JAR> -DgroupId=com.okta.scim.sdk -DartifactId=scim-server-sdk -Dpackaging=jar -Dversion=01.00.xx

where is the SDK version number. For complete build instructions the contain this command with the correct version number, see the install.bat and install.sh files in the /lib folder.

Build the example, with the following command

mvn package

Copy the target/scim-server-example-*.war file to your Tomcat directory and run it.
You can now use the tester to run methods against this example SCIM connector 


Hope this helps out, 

Best Regards
 
George AlexGeorge Alex
Hi,

From what I understand, there should not be a need to implement a new SCIM connector if the target application already supports SCIM natively. I believe the on-premises agent should be able to talk directly to the application. 

I pointed the agent to our application IdentityIQ, however, the agent seems to fail at a specific operation, namely the ServiceProviderConfigs operation, which is a SCIM 1.1 operation. IdentityIQ supports SCIM 2.0, where that same operation is named ServiceProviderConfig, without the 's'. Please let me know if there is flag somewhere I need to set to make the agent switch to the SCIM 2.0 protocol, if at all it is supported.

Thanks!
Evgeny RusinEvgeny Rusin
Any news on this? I'm seeing the same with Windows on-premises provisioning agent: it wants to GET /scim/v2/ServiceProviderConfigs, i.e. with 's'!