Configure iGrafx for automatic user provisioning using Okta

This tutorial describes how to enable automatic user provisioning and de-provisioning with Okta. Automatic user provisioning via the SCIM protocol is only available in the iGrafx cloud offering with the Process Design module. For more information on how the technology works see this Okta document. 

Prerequisites

The following items are required:

1. An Okta tenant

2. iGrafx Process Design module

3. SCIM secret token

4. SCIM tenant URL (pattern: https://scim.igrafxcloud.com/scim/v2/<YourTenant> , can be requested from our Service Desk)

Create your SCIM directory and secret token in iGrafx Process Design

The user performing these steps requires Manage user directories server permission:

1. Log into iGrafx Process360 Live Process Design

2. Go to Administration → User Management → Directories

3. Click Add new directory

4. Enter a name for the directory

5. Select directory type: SCIM

6. Click Create directory

7. Write down your SCIM secret token for later use
   Note: To generate a new token, click edit on the SCIM directory and then generate new token

Configure Okta for automatic user account provisioning to iGrafx:

Okta requires that user provisioning is paired with a SAML 2.0 or SWA app integration. If you already have a SAML integration set up, you can skip to Enabling Provisioning

Creating your app integration

1. In your Okta Admin Portal, navigate to Applications → Applications and click on Create App Integration
   

   

2. Select SAML 2.0 and click next
   

   

3. Fill out the General settings as applicable and click next

4. Configure your iGrafx Process360 Live SAML integration and click next

5. Optional: Fill out the Feedback section and click next

Enabling provisioning

1. Navigate to the General settings tab and enable Provisioning
   

   

2. Navigate to the new Provisioning tab and click edit and set the following:

   1. SCIM connector base URL - use the SCIM tenant URL (https://scim.igrafxcloud.com/scim/v2/<YourTenant>)

   2. Unique Identifier Field for users - userName

   3. Supported provisioning actions - check all checkboxes except Import Groups

   4. Authentication Mode - HTTP Header

   5. Authorization - use the SCIM secret token
      

      

3. Two new tabs sections should be visible now: To App and To Okta. Click To App

4. Edit the Provision to App settings and enable Create Users, Update User Attributes, and Deactivate Users
   

   

5. Optional: If you have created any users in iGrafx before enabling synchronization, you can import them now → Navigate to the Import tab → Click Import Now.
   Okta will get a list of all existing users that are not assigned to the app integration. Select all the users you want to manage via Okta's automatic user provisioning.
   Once the assignments are selected and confirmed, any users you have assigned to the application will now show up in the Assignments tab

6. To provision new users in the application: Navigate to the Assignments tab -> Click Assign:

   1. If Assign to People is selected, the selected user(s) will be provisioned to the application.

   2. If Assign to Groups is selected, all users in the group will be provisioned to the application.
      Note: If a user is removed from the group or explicitly removed from the application, their user will be disabled. Disabled users do not consume a license.

7. To provision groups and group membership:

   1. Make sure the group is added in the Assignments tab

   2. Navigate to the Push Groups tab and click on the Push Groups button:

      1. If Find groups by name is selected, you can select groups directly by name

      2. If Find groups by rule is selected, you can create a rule that will select groups automatically if they match the conditions

   3. Once one or more groups have been selected to push, those groups will be created in the application and the users will be added as members