SCIM configuration guide for Okta

What steps are needed to publish Trint as an application in my Okta organization?

Configure user provisioning with Okta


If your organization uses Okta to manage your employees’ access to tools and services, you can take advantage of Okta’s “Provisioning” feature to automatically grant access to Trint to your users, and even optionally synchronize membership in selected Okta Groups with Trint Teams.

The integration between Okta and Trint that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Okta works with SCIM, please see this article.

The remainder of this guide is focused on enabling you to configure both Trint and Okta to get provisioning up and running for your organization.

Features

The following provisioning features are supported by Trint at present:

  • Push Users: Users in Okta that are assigned to the Trint application in Okta are automatically added as members to your organization in Trint
  • Import Users: Users created in Trint can be imported into Okta and either matched against existing Okta users or created as new Okta users.
  • Deactivate/reactivate users
    • Update user attributes
    • Import Groups: Import Teams from Trint as Groups in Okta.
    • Push Groups: Groups and their members in Okta can be pushed to Trint (as Trint teams and team members).
    • Update Group names and members

        NOTE: When assigning users to groups within Okta (referred to as Teams within Trint), Okta will be treated as authoritative. If a group is unlinked from Trint, and another group is linked to the existing group in Trint the following will happen:

        • The Trint Team will be renamed to match the new group
        • Users in the Trint Team who are not in the new group will be removed from the Trint Team. The user accounts will remain in Trint, but will not be assigned to any particular Team.
        • Users in the new group will be added to the Trint Team, creating user accounts if necessary.

        Requirements

        • You must have a Trint account with an Enterprise subscription
        • SSO must be set up for Trint (can be configured alongside SCIM Provisioning)
        • You must be the Trint account owner to authorize user provisioning

        Configuration instructions

        1. Log in to your Okta tenant with a user that has the Okta Application Administrator (All Apps) and Organization Administrator roles.
        2. Add the Trint application by browsing the App Catalog and searching for Trint.
        3. Choose to Add Integration, update the integration name if necessary and click Done.
        4. Assign the Okta user who will perform the role of the Trint account owner to the application. Then, make that user an Application Administrator for the new Trint application.
        5. The remaining steps should be performed by the Trint account owner with the Application Administrator (Trint) role. Login and navigate to the Applications list, then select the Trint application.
        6. To configure SAML SSO Sign-on, go to the Sign-on tab. In the SAML 2.0 panel expand the More Details option.
        7. Copy the Sign on URL and Download the Signing Certificate. Send these to your Trint customer support manager, and request an SSO Connection Id. Optionally you can provide the Metadata URL.
        8. Once you have the Connection Id, click Edit on the Sign-on tab. Scroll down to the Advanced Sign-on Settings section and enter the Connection Id. In the Credentials Details section set the fields to “Email” and “Create and update”.
        9. To enable SCIM Provisioning click Configure API integration on the Provisioning tab.
        10. Check the Enable API integration checkbox, then click the Authenticate with Trint button.
        11. Authenticate with Trint using your organization owner account, logging in with your SSO account. Then give consent for Okta to act on your behalf.
        12. Okta will test the integration. When it succeeds, select Save.
        13. Select To App under Settings.
        14. Select Edit and check the Enable checkboxes for the options you’d like to have.

            Known Issues/Limitations

            • Okta allows the login email address of a user to be changed. If the application user assignment is edited and the username changed Okta will disable the user account in Trint and create a brand new user account with the new username. This is expected behavior for Okta. We recommend that you do not use this feature due to the following implications:
              • The user will lose access to any content created with, or shared with the original account.
              • The user will lose any permissions that they previously had. They will need to be re-assigned by a user with appropriate permissions in Trint.
              • It will not be possible to change the user back to the original username.

            If this has been done by accident you may raise a support ticket with Trint at support@trint.com.

            • Presently, Trint does not support the following Okta provisioning features, but may in the future:
              • Sync password
              • Profile sourcing
              • Remove users. Removing users (as opposed to deactivating them) is supported by Trint, but not by Okta.

            • Users are only permitted to be a member of one Team in Trint at a time

            Troubleshooting

            If you have questions or difficulties with your Trint/Okta SCIM integration, please contact your Trint customer support manager. 


            If you do not have a Trint enterprise account, contact Trint support via support@trint.com