Auto-User Provisioning via Okta API

User auto-provisioning integrates an external user directory with your Axis Cloud. Through Continuous Policy Enforcement, if policy criteria change during a session (for example, restricting access to an IP range that does not include a user's current IP address), the new policy is enforced in real-time and the user’s connection is blocked.

Before you begin, you must configure an Okta as an Identity Provider.

Choosing the User Provisioning Method

The following auto-provisioning methods are available:

  • SCIM (Recommended):  Use SCIM, a standard protocol for users and groups provisioning, to push your directory changes into Axis. To learn more about user provisioning with Okta Custom SCIM click User Provisioning with Axis Security Application in Okta.
  • Okta API:  Use Okta API integration to enable user auto-provisioning through Okta API without using SCIM. The API pulls directory changes. The Okta API pulls changes in an interval determined by Axis Security, therefore changes to users or permissions only take effect after the next scheduled information pull.

The Okta API is an alternative to SCIM that does not require additional licenses. If you do not have an Okta Lifecycle Management license, use the Okta API.

📘

Note:

Axis Support configures the provisioning frequency based on the amount of data provisioned and the directory size.

Prerequisites

  • An Okta IdP deployment. Click Okta Integration to learn more about creating an Okta IdP integration. 
  • Okta IdP integration with SCIM disabled. To disable SCIM, refer to the Troubleshooting section at the end of this article. 

Step 1: Editing the Axis Application User Profile in Okta

To create an Okta API, ensure that the Axis Application user profile includes the following attributes: 

  • Display Name
  • First Name
  • Last Name
  • Department
  • Division
  • Email

To view and edit the Axis Application user profile in Okta: 

  1. In the Okta Admin Console, navigate to Directory -> Profile Editor
  2. Under Users, select your Axis application user profile (the name format is “ User”). 

The Profile Editor window appears.

3396
  1. In the Axis application screen in the Profile Editor, select Add Attribute to create a new attribute.
2430 1312
  1. Create the following attributes, and for each attribute select User personal:
Display NameVariable NameAttribute LengthRequiredScope
Display namedisplayNameBetween 1 and 50YesUser personal
First namegivenNameBetween 1 and 50NoUser personal
Last namefamilyNameBetween 1 and 50NoUser personal
DepartmentdepartmentBetween 1 and 50NoUser personal
DivisiondivisionBetween 1 and 50NoUser personal
EmailemailBetween 1 and 50NoUser personal
  1. Click Save.
  2. Go to Directory-> Profile Editor-> -> Mappings-> Configure User mappings.
2730
  1. In the User Profile Mapping screen, click to Okta User.
1944
  1. Map the following user profile attributes (from Axis to Okta) using these expressions:
AttributeExpression
firstNameappuser.givenName
lastNameappuser.familyName
emailappuser.email
displayNameappuser.displayName
divisionappuser.division
departmentappuser.department
  1. Click Save Mappings.
1712
  1. In the User Profile Mapping screen, click Okta User to .
1684
  1. Click the User Mapping drop-down menu next to the attribute and select Apply mapping on user create and update.
1928
  1. Map the following attributes (from Okta to Axis) using these expressions:
AttributeExpression
displayName(user.displayName != null && user.displayName != '') ? user.displayName : String.append(user.firstName, " " + user.lastName)
givenNameuser.firstName
familyNameuser.lastName
departmentuser.department
divisionuser.division
emailuser.email
  1. Click Save Mappings.
  2. Click Apply update now.
1680
  1. Next step: Create a Read Only Administrator in Okta.

Step 2: Creating a Read Only Administrator in Okta

The API token receives the same permissions as the administrator who created it. Therefore, we recommend creating a read only administrator.

  1. In the Okta Admin Console, select Security-> Administrators.
  2. Click Add Administrator.
2560

The Add Administrators dialog opens.

954
  1. Select Read Only Administrator.
  2. Click Add Administrator.
  3. Log out and log in to Okta as the Read Only Administrator.
  4. Next step: Get the application ID in Okta.

Step 3: Getting the Application ID in Okta

  1. Go to the Axis Security application in Okta.
  2. Copy the application ID from the URL.
1548
  1. Paste the application ID in a text editor. You will use it to create the API integration in Axis Security in step 5: Integrating Okta API into Axis Security.
  2. Next step: Create a new token in Okta.

Step 4: Creating a New Token in Okta

  1. In the Okta Admin Console, navigate to Security -> API.
  2. Click Create Token.
2714

The Create Token dialog appears.

2724
  1. Add a name for the token.
  2. Click Create Token.
2724
  1. Click the Copy to clipboard icon to the right of the token value.
  2. Click OK, got it.
  3. Paste the token value in a text editor. You will use it to create the API integration in Axis Security in step 5: Integrating Okta API into Axis Security.
  4. Next step: Integrate Okta API into Axis Security.

Step 5: Integrating the Okta API into Axis

  1. In the Management Console, go to Settings -> Partner Integrations.
  2. Click New Integration.
3584
  1. Select Okta API.
  2. Enter a name that identifies the integration and a description (optional).
3584

Integration Configuration

  1. Click the Identity Provider drop-down menu and select the Okta IdP instance with the users that you want to auto-provision.
  2. Enter the Application ID obtained in step 3.
  3. Enter the API Token value obtained in step 4.
  4. Click Submit.
  5. Push changes by clicking Apply Changes, Review your changes, and then Commit Changes. Note: The integration will not take effect until you push changes.
  6. Next step: Check the integration.

Step 6: Checking the Integration

To check if the integration is working:

  1. Go to Settings-> Partner Integrations.
  2. Next to the Okta integration, view Status and Last sync time.

📘

Note:

For troubleshooting integration sync issues, refer to the Troubleshooting section at the end.

2364

Troubleshooting the Okta API Integration

Q: Why can’t I deploy the Okta API integration?

A1: There is no Okta IdP configured for the tenant

Check the Axis Management Console to see if an Okta IdP is configured for the tenant:

  1. In the Management Console, navigate to Settings-> Identity Providers.
  2. In the Identity Providers screen check whether there is an Okta IdP.
  3. If there is no Okta IdP configured, follow the steps described here to create an Okta IdP.

📘

Note:

Make sure not to enable SCIM.

A2: SCIM is enabled

To integrate an Okta API, SCIM must be disabled in the Okta IdP.
You can see whether SCIM is enabled in the Identity Providers window, under User Auto-Provisioning.

3556

To disable SCIM by revoking the Auto-Provisioning Token:

  1. In the Management Console navigate to Settings-> Identity Providers.
  2. Next to the Okta IdP for which you wish to provision users, click Edit.
  3. In the Edit Identity Provider window navigate to Service provider metadata.
  4. Under User Auto-Provisioning (SCIM) click Revoke Auto-Provisioning Token.
  5. Click Ok.

A3: An Okta API integration is already configured for your tenant
Each tenant can have only one Okta API integration.
To view your tenant's integrations:

  1. In the Management Console, go to Settings-> Partner Integrations.
  2. Check whether there is an existing Okta API integration.

Q: Why are The Okta and Axis Directories Not Syncing?

The Partner Integrations table provides the following sync status information:

StatusDescription
SyncedIntegration has synced successfully
Sync in progressIntegration is currently syncing
Pending initial syncIntegration has not synced yet
Not synced Integration has not synced recently, there may be a temporary sync issue. Indicates the time since the last successful sync.
2320

A1: This Okta domain is already provisioning users to Axis
If the Okta domain is already configured to provision users using Okta API in any tenant in Axis it will not sync through the new integration.

A2: Changes have not been pulled yet
Okta API syncs changes to identities by pulling information from Okta in set intervals. You can check when the last sync occurred by following the instructions in Step 6: Checking the integration.

Contact Axis Support: [email protected] for information about your sync intervals.

A3: Problems with attribute mapping
Invalid attribute mapping can be the cause of problems syncing changes. Follow the instructions in Step 1: Editing the Axis Application User Profile in Okta to make sure attributes were entered and mapped correctly.

A4: Invalid Application ID or token

  1. Follow the instructions in Step 3: Getting the Application ID in Okta to ensure the application ID was copied correctly and Step 4: Creating a New Token in Okta to generate a new token.
  2. Check to see if there is an active token from Axis.
  3. If there is no token, delete the integration and create a new one.