# Configure SCIM in Okta
Workato supports the SCIM 2.0 protocol with the Okta identity provider:
- SCIM handles user lifecycle management (create, update, deactivate).
- SAML handles roles and group assignments (environment roles and collaborator groups).
HYBRID MODEL
Workato's new permission model integration with Okta uses a hybrid approach:
- SCIM provisions and revokes users.
- SAML manages environment roles and collaborator group memberships.
This model ensures role assignments are always evaluated dynamically at login.
# Prerequisites
- Your organization must have the Data Monitoring/Advanced Security & Compliance capability.
- You must have SAML SSO successfully set up with your identity provider.
- You must have already configured SCIM in Workato.
# Configure SCIM
Log in to your Okta admin dashboard.
If you have already configured your Workato SAML app on Okta, locate the Workato SAML Application, and navigate there.
If you have not configured your Workato SAML app on Okta yet, create a new SAML 2.0 app before proceeding.
In the General tab, under App Settings, find the Provisioning field.
Select Enable SCIM Provisioning, and Save.
Enable SCIM provisioning
You can now see the new Provisioning tab on Okta.
In the SCIM Connection interface, specify the following:
- SCIM connector base URL
- This is the Base URL of the Workato SCIM API endpoint, that you copied when configuring SCIM in Workato.
- In this example, we use
https://workato.com/scim/v2
. - Unique identifier field for users
- This is how we identify users both in Workato and in Okta.
- Here, we set the
userName
in Okta to contain the user’s email. - Supported provisioning actions
- Select the following actions:
- Import New Users and Profile Updates
- Push New Users
- Push Profile Updates
- Authentication Mode
- Select HTTP Header.
- Authorization
- Set the Bearer field by pasting the SCIM token you copied when configuring SCIM in Workato.
SCIM setup details
Configure attribute mappings. Keep mappings minimal and map only the following core attributes:
user.email
:userName
user.status == "ACTIVE"
:active
user.email
:emails[primary eq "true"].value
We recommend mapping environment role attributes (workato_role
, workato_role_test
, workato_role_prod
) through SCIM and managing collaborator groups (workato_user_groups
) through SAML. This enables you to provision and deprovision users while enabling dynamic group assignment through group memberships during SAML authentication.
Click Test Connector Configuration to determine if your setup is correct.
When the test runs successfully, Okta displays the status of the connection and the supported SCIM provisioning actions.
Successful SCIM setup in Okta
# Provision users
If you already assigned users to your Workato application for SAML SSO, you can trigger a provisioning job to sync your existing users between Okta and Workato. This ensures that you don't unintentionally create duplicate accounts on your Workato workspace.
Users provisioned through SCIM exist in Workato immediately, but they don’t receive roles or collaborator group memberships until they log in through SAML.
In the Assignments interface, Okta denotes the users that existed before you configured SCIM with a red exclamation mark icon.
Existing users are not provisioned by SCIM
Click Provision User to sync users. Okta displays a notification that it will provision the user to Workato.
Click OK.
Confirm provisioning
Go to Groups > Application > Assign Workato.
Configure groups
Assign the Workato application to individuals or groups in Okta for new users. SCIM provisions the account in Workato, while environment roles and collaborator group memberships are evaluated dynamically through SAML at login.
Workato sends an email invitation to provisioned users. Instruct them to click the link in the email to verify their email address.
Email invitation to join a workspace
After verification, users can sign in with the environment roles and collaborator groups assigned through SAML.
TROUBLESHOOTING
If clicking on the invitation email redirects you to the Workato login page instead of your organization’s workspace, it is likely that you already have a Workato account associated with the same email. If you have forgotten your login credentials, reset your password.
You can check the Workato activity audit log to confirm the addition of the user:
Activity audit log showing that a user has accepted an invitation
# Convert user assignments to group assignments
If you previously assigned users directly to the Workato application, you can convert them to group-based assignments. Group assignments ensure environment roles and collaborator groups are evaluated dynamically through SAML at login.
Go to Applications > Workato > Assignments and go to the Workato application.
Select Convert Assignments.
Convert assignments from user to group
Select the individual user that you plan to convert from user to group management in the Select assignments to convert interface.
Select the user to convert to group management
Click Convert selected.
Okta displays a successful conversion message when the conversion completes. The user is now managed through group assignment. Environment roles and collaborator group memberships apply dynamically through SAML at login.
# Update users
SCIM provisions lifecycle changes such as user profile updates, status changes, or deactivation. Environment roles and collaborator group memberships are managed through SAML and take effect the next time the user signs in.
Update user attributes such as email, display name, or status, and click Save. This action triggers a user update call to Workato through SCIM and immediately updates the user in Workato.
Click Save. This action triggers a user update call to Workato through SCIM.
To verify new members on Workato after provisioning them through SCIM, you can check the collaborators team list.
You can also examine the activity-audit logs dashboard.
We denote changes made through SCIM as scim_auto_sync
.
# Deprovision users
You can deprovision users directly in the Okta admin dashboard.
In Okta, a deprovisioning event can be any of the following actions:
- User suspension
- User deactivation
- App access removed
In Workato, a user is deprovisioned from your Workato workspace in any of the following scenarios:
- User is suspended in Okta
- User is deactivated in Okta
- Workato app is removed from the user
In all these situations, the user cannot access the Workato workspace. The user’s recipes and connections remain available to the rest of the team.
The user may be re-provisioned from Okta at a later time, and would retain their earlier privileges.
# Disable SCIM
To disable SCIM, follow these steps in Okta. Alternatively, you can disable SCIM in Workato.:
In Okta, find the Workato application.
Navigate to General.
Disable SCIM by unselecting the Enable SCIM provisioning option, and then Confirm your action.
This action breaks your SCIM connection. User data cannot be synced between Okta and Workato.
Last updated: 10/7/2025, 3:50:03 PM