You can integrate OneTrust with Okta for System for Cross-Domain Identity Management (SCIM) User & Group Provisioning. OneTrust supports cross-domain identity management through the SCIM 2.0 specification. SCIM is an open specification to help facilitate the automated management of user identities and groups in cloud applications using RESTful APIs. This allows organizations to manage and update user information and group information across domains and applications.
Note
OneTrust offers technical documentation about SCIM User Provisioning APIs within the OneTrust Developer Portal. For more information, see User Provisioning.
Step 1: Create a Web Application in Okta
The first step to configuring OneTrust with Okta for SCIM User & Group Provisioning is to add a web application with SCIM Provisioning enabled. For more information, you can reference Okta's How to Enable SCIM Provisioning in Custom App article.
If your organization has already configured OneTrust with Okta for Single Sign-On (SSO) Authentication, you can use the same web application that you previously created. Simply locate your existing web application and enable user provisioning in that created application.
Step 2: Configure a Default Organization and Role in the OneTrust Application
Now that your web application is created in Okta, you will need to configure the default organization and role that you want users to be provisioned with in the OneTrust application. Users who are provisioned through SCIM will then be given this role and assigned to this organization by default.
Note
On the User Provisioning screen, you will also find the SCIM Base URL. You will need to copy this URL for use in Step 4: Set Up the SCIM Connection in Okta.
Click the gear icon in the upper right-hand corner to access Global Settings.
On the Global Settings menu, select User Management > User Provisioning. The User Provisioning screen appears.
In the Organization field, select the default organizational group to which users should be assigned on creation through SCIM.
In the Role field, select the default role to which users should be assigned on creation through SCIM.
Note
OneTrust recommends selecting a default role that has the minimum level of permissions that you want to grant users by default, such as Project Viewer or Project Owner. The Employee role should only be granted to users accessing the Employee Portal.
Click the Save button.
Step 3: Generate an OAuth 2.0 API Key with the SCIM Scope
Next, you'll create an OAuth 2.0 API Key for Okta with the SCIM scope. This API Key is the Authorization Token that needs to be used in Okta for SCIM integration with OneTrust.
Note
Alternatively, you can generate an OAuth 2.0 access token instead by creating Client Credentials. For more information, see Managing OAuth 2.0 Client Credentials.
Click the gear icon in the upper right-hand corner to access Global Settings.
On the Global Settings menu, select Access Management > Client Credentials. The Credentials screen appears.
The value that you select in the API Key Lifetime field will determine how long the API key will be active before another API key must be created to continue provisioning users through SCIM.
Click the Create button. The API Key Created section appears.
In the Download API Key field, click the Download button. A .txt file containing the OAuth 2.0 API Key will download to your local system.
Save the OAuth 2.0 API Key to a secure location.
Step 4: Set Up the SCIM Connection in Okta
Once you've gathered the SCIM Base URL and the OAuth 2.0 API Key, you can add these credentials in Okta. Once added and saved, you will then be able to configure the Attribute Mapping in Okta that will be used to provision users in the OneTrust application.
Note
The following steps reference the name of the web application created in Okta. Naming of these sections will vary based on the name of your Okta web application.
Navigate back to the web application you created in Okta. The Assignments tab appears.
Navigate to the General tab, and select the Edit button within the App Settings section.
In the Provisioning field, select SCIM.
Click the Save button. The Provisioning tab appears.
Navigate to the Provisioning tab. Integration will be selected on the Settings pane by default.
In the SCIM Connection section, click the Edit button. Configure the following fields. For more information, you can find a detailed description of the entries required for each field in the following table.
Field
Description
SCIM version
2.0 is selected by default and cannot be changed.
SCIM connector base URL
Within the OneTrust application, click the Copy URL button in the SCIM Base URL field on the User Provisioning screen. Navigate back to the Integration > SCIM Connection section in Okta and paste the copied URL in the SCIM connector base URL field.
Unique identifier field for users
Enter email.
Supported provisioning actions
Select the check boxes corresponding to the provisioning actions you want to apply:
Import New Users and Profile Updates
Push New Users
Push Profile Updates
Push Groups
Import Groups
Authentication Mode
OneTrust recommends selecting HTTP Header.
Authorization
Copy the OAuth 2.0 API Key that you created and saved in Step 3: Generate an OAuth 2.0 API Key with the SCIM Scope. Navigate back to the Integration > SCIM Connection in Okta and paste the OAuth 2.0 API Key in the Authorization field.
Note
If you created Client Credentials, you would paste the respective OAuth 2.0 access token in this field.
Test Connector Configuration
Once you've completed the above fields, click the Test Connector Configuration button.
Click the Save button.
Step 5: Configure SCIM Attributes in Okta
After your connection has been successfully established, the To App and To Okta options will appear in the Settings pane on the Provisioning tab. You can then begin configuring the SCIM attributes between Okta and the web application you created.
On the Provisioning tab in Okta, select To App on the Settings pane.
In the Provisioning to App section, click the Edit button.
Select the Enable check box for Create Users, Update User Attributes, and Deactivate Users. Ensure that the Sync Password check box is not selected.
Click the Save button.
Scroll down to the Attribute Mappings section, and click the Go to Profile Editor button. The Profile Editor screen appears.
On the Profile Editor screen, click the Mappings button. The User Profile Mappings modal appears. Then select Web Application to Okta User.
Note
"Web Application" will be the name of the application that you created in Okta. In this example, the tab is named OneTrust SSO to Okta User.
On the User Profile Mappings modal, you will need to unmap and delete certain attributes that are not supported by OneTrust on both the Web Application to Okta User and Okta User to Web Application tabs.
The following are mandatory attributes supported by OneTrust:
givenName
familyName
email
emailType
Note
This attribute should have the type "work" in Okta.
In addition, OneTrust also supports the following optional attributes:
title
employeeNumber
division
department
officeLocation
businessUnit
userType
On the Web Application to Okta User tab, click the Map icon for the attributes that are not supported by OneTrust and select Do not map on the menu that appears.
Repeat this step to remove the mapping for every attribute not supported by OneTrust.
Once all unsupported attributes are unmapped, click the Save Mappings button, and click the Apply Updates Now button. Then, select Okta User to Web Application.
Note
"Web Application" will be the name of the application that you created in Okta. In this example, the tab is named Okta User to OneTrust SSO.
On the Okta User to Web Application tab, click the Map icon for the attributes not supported by OneTrust and select Do not map on the menu that appears.
Repeat this step to remove the mapping for every attribute not supported by OneTrust. In addition, you will need to unmap the userType attribute.
Once all unsupported attributes are unmapped, click the Save Mappings button, and click the Apply Updates Now button.
In the Attributes section on the Profile Editor screen, click the X icon for every attribute not supported by OneTrust.
Note
The userType attribute should be unmapped but should not be deleted from the Attributes section. To add the custom attributes businessUnit and officeLocation, proceed to step 13.
To add custom attributes, click the Add Attribute button and complete the fields as detailed in the table below. The remaining fields can be left blank.
Field
Description
Display name
Enter businessUnit or officeLocation.
Variable name
Enter businessUnit or officeLocation.
External name
Enter businessUnit or officeLocation.
External namespace
Enter urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.
Scope
Select the User personal check box.
Click the Save button. The custom attribute appears within the Attributes section.
Navigate back to the web application and select the Provisioning tab. Then scroll down to the Attribute Mappings section to verify the configuration. Your configuration should match the image below.
Things to Know
In OneTrust, the userName and email attributes are the same. OneTrust recommends using the same values for these attributes in Okta.
For the userType attribute, expected values are either Internal or External. This attribute will determine whether users are provisioned as either internal or external users in the OneTrust application.
In general, Internal might refer to your organization's employees and External might refer to your organizations' contract and other temporary employees.
Step 6: Test the Configuration
After completing the SCIM integration with Okta in step 5, you can then begin testing the configuration to ensure that users and groups are successfully provisioned.
User Provisioning
To verify that users are correctly provisioned or deprovisioned in the OneTrust application, you'll assign users within Okta, provision a user, deprovision a user, and confirm the changes are reflected in the OneTrust application.
Note
All new users added to the OneTrust application through SCIM will be sent a Welcome email with a link to access the application.
To disable sending the Welcome email to new users that will use Single Sign-On (SSO) to log in to the application, disable the Welcome Email (Directory User) template.
For more information on disabling email templates, see the To disable an email template procedure in Emails: Branding & Templates.
Provision Users
In Okta, navigate back to the web application you created. The Assignments tab appears.
Click the Assign button, and select Assign to People. The Assign to People modal appears.
Click the Assign button next to the name of the user you wish to assign. Additional fields appear with certain values that may automatically populate based on the user's existing profile within Okta.
Note
If the userType attribute is configured, enter either Internal or External in the User type field. This attribute will determine whether users are provisioned as either internal or external users in the OneTrust application.
Click the Save and Go Back button.
Click the Done button. The user(s) will then appear on the Assignments tab under the People filter.
Confirm User Provisioning
Now that you've provisioned a user, you can navigate to the Users screen in the OneTrust application to confirm that the user was successfully provisioned.
Click the gear icon in the upper right-hand corner to access Global Settings.
On the Global Settings menu, select User Management > Users. The Users screen appears, where you should be able to locate the user your provisioned.
Click the link in the Name column for the user you provisioned. The User Information tab on the Users screen appears.
Navigate to the User Activity tab, where you can find the record indicating that the user was created through SCIM.
Deprovision Users
Users that are deactivated or deleted in Okta would be deactivated in the OneTrust application. Users who are unassigned from the Okta SCIM web application will also be deactivated in the OneTrust application.
In Okta, navigate back to the web application you created. The Assignments tab appears.
Click the X icon for the user you want to deprovision. The Unassign User modal appears.
Click the OK button. The user is removed from the Assignments list, and the changes will be reflected within the OneTrust application.
Group Provisioning
To verify that groups are correctly provisioned or deprovisioned in the OneTrust application, you'll assign groups within Okta, provision a group, deprovision a group, and confirm the changes are reflected in the OneTrust application.
Provision Groups
In Okta, navigate to the web application you created and select the Push Groups tab.
Click the Push Groups button and select Find groups by name. The Enter a group to push field appears.
In the Enter a group to push field, enter the name of the group you want to provision within the OneTrust application. A list appears, where you can select the desired group.
Note
The Push group memberships immediately check box can be selected if you'd like to automatically provision group members within the application upon saving the configuration.
Once you've selected the desired group, click the Save button. The group appears on the Push Groups list.
Note
The assigned groups may or may not have members. If members do exist in the group, they will be provisioned within the application.
Confirm Group Provisioning
Now that you've provisioned a group, you can navigate to the User Groups screen in the OneTrust application to confirm that the user group was successfully provisioned.
Click the gear icon in the upper right-hand corner to access Global Settings.
On the Global Settings menu, select User Management > User Groups. The User Groups screen appears, where you should be able to locate the user group you provisioned. Since the group we provisioned had one member, that user is listed as a member of this user group.
Click the link in the Group Name column for the user group you provisioned. The Users tab on the User Group Details screen appears, where you can see the list of users provisioned as part of that user group.
You can also view the user groups in which a user is a member within the user record. On the Global Settings menu, select User Management > Users. On the Users screen, click the link in the Name column for one of the users provisioned as part of the user group. The User Information tab on the Users screen appears.
Navigate to the User Groups tab, where you can see a list of user groups in which the user is a member.
Deprovision Groups
Groups that are deleted in Okta will be deleted in the OneTrust application.
In Okta, navigate to the web application you created and select the Push Groups tab.
Click the arrow next to Active in the Push Status column and select Unlink pushed group. The Unlink Pushed Group modal appears.
Select the Delete the group in the target app (recommended) option.
Click the Unlink button. The group is removed from the Push Groups list in Okta and will no longer appear on the User Groups screen within the OneTrust application.
