MarkW.95001 (Customer) asked a question.
As I understand, when the integration (in this case Okta) hits the SCIM 2.0 server's endpoints (eg /Users), it will send a bearer token corresponding to the OAuth Bearer Token specified in Provisioning -> Integration (if I'm not wrong this is usually the IdP's API token key). My application is multitenant, with each tenant living under <endpoint>/<tenant>. I'm reading this: https://developer.okta.com/docs/concepts/scim/faqs/ and while I understand that Okta can be configured to hit the customized tenant endpoint, I'm having a hard time understanding how my server knows which IdP the tenant uses, and therefore how I should be verifying the OAuth Bearer Token. Can someone help me understand this architecture?
Hi Mark,
This question has been escalated to Customer Support who will follow up with you on this post.
Thanks!
Tim
Hi Mark,
Okta requires a base URL which can contain the tenant on which the request is made, for example "https://example.com/{tenant}/scim/v2/". To this URL, Okta automatically adds "/Users" and "/Groups" in order to perform the specific SCIM request.
If your application has the {tenant} section after the endpoint, for example "https://example.com/scim/v2/Users/{tenant}", then the integration would not be possible at this time. If this is the case, I'd like to encourage you to raise this as a new feature request over our Okta Community by going to your Okta Admin Panel >> Help and Training >> Product >> Ideas. Features suggested in our community are reviewed and can be voted and commented on by other members of the community, therefore making it much easier for the engineering team to understand the priorities that you have for feature requests.
Dragos Gaftoneanu
Developer Support Engineer
Okta Global Customer Care