Provisioning users from Okta with SCIM

Cezanne’s SCIM integration can be used to automatically provision and deactivate Cezanne user accounts for your employees directly from Okta.

At present the integration can only be used to create user accounts for individuals with an existing person record in Cezanne. In other words, the expectation is that the HR team will setup the employee’s person record in Cezanne before IT team provisions the employee’s user account in Okta.

You can choose to match the Okta user accounts to people based on internal or external email address, person code or employment ID.

Supported features

The Cezanne SCIM integration is able to:

  • Create new users in Cezanne from Okta
  • Update existing users* in Cezanne with attributes from Okta
  • Deactivate users in Cezanne from Okta

NOTE:

  • Only the properties Username, Cezanne Role and Email can be updated.
Requirements

Before proceeding, ensure that you meet the following requirements:

  • You use Okta as the IdP for your app.
  • You have an Okta developer account that has administrative privileges.
  • You have a Cezanne account that has the role of HR Professional.
  • The people in your Okta directory have a means of being linked to Cezanne employee records, i.e. a matching email address, or an employee number which matches a person code or employment ID in Cezanne.
Configuration Steps

IMPORTANT:

  • If you intend to use SAML single sign-on (SSO) with Okta, you should set up SSO first.
  1. Log in to Cezanne as an HR Professional user.
  2. Navigate to: Administration >> Integrations >> SCIM.
  1. Switch Enable SCIM Provisioning of Users in Cezanne to ON.
  2. Click the Generate button to generate a secret token.
  3. Use the Match User from Provider to Cezanne radio buttons to specify how provisioned user accounts should be linked to people records in Cezanne.
  4. If you intend to use SSO:
    1. Switch Create SAML SSO Mappings to ON.
    2. Select the Identity Provider that corresponds to your Okta identity provider.
    3. Select ‘SCIM Username’ as the User Identifier.
  5. Save your changes.
  6. In a separate browser tab, log in to Okta as an administrator.
  7. Navigate to: Applications >> Browse App Catalog and search for the Cezanne app.
  8. Select the Provisioning tab then Integration.
  9. Click the Configure API Integration button, then check Enable API Integration.
  10. Copy the tenant ID from the end of the SCIM URL in Cezanne to the Tenant ID field in Okta.
  11. Copy the newly generated Secret from Cezanne into the OAuth2 bearer token field in Okta.
  12. Test the connection in Okta and save.
  1. Select To App on the left-hand side and tick the boxes as shown in the image above. 
  2. Save your changes.
  3. You will now be able to add users to the Cezanne app in Okta and they will be provisioned in Cezanne.
Known Issues / Troubleshooting

Given Name / Family Name

These fields are required by Okta but are in fact not used by Cezanne during user creation.  Instead, the corresponding values from the linked employee record are taken. As a result, the fields can not be updated.

Employee Number

This field is only required at user creation and only if one of Matching  Methods 3 or 4 is in use.  Otherwise, it can be left blank. It can not updated.

Cezanne Role

This must correspond to an existing Cezanne Role, which can be a base role or a custom one. The name must correspond to the original name given to the role and not a translated name.

User Provisioning with SAML Mappings

The SAML mappings are optionally configured on the Cezanne SCIM settings page and associated with a new user account on user creation.  However, when a user is updated, these mappings will be unaffected.  To change them, please edit them manually.