Configuring SCIM with Okta

This guide provides the steps required to configure provisioning for 15Five, and includes the following sections:

• Features
• Prerequisites
• Configuration Steps
• Troubleshooting Tips

Features

Automatic User Provisioning is supported for the 15Five application.

This enables Okta to:

• Add new users to 15Five
• Update select fields in users’ profile information in 15Five
• Deactivate users in 15Five
• Push groups and membership to 15Five

The following provisioning features are supported:

• Push New Users - Creating a new user in Okta and assigning them to the 15Five application will create a new user in 15Five.
• Push Profile Updates - Updates to a user in Okta will be pushed to 15Five.
• Push User Deactivation - Deactivating the user or disabling the user's access to 15Five within OKTA will deactivate the user in 15Five.
• Import New Users - Users created in 15Five can be pulled into Okta and turned into new AppUser objects for matching against existing Okta users.
• Push Groups - Groups created in Okta can be pushed to 15Five. Attributes pushed include name and group members.
• Pull Groups - Groups created in 15Five can be pulled into Okta for reference within Okta.
• Delete Groups - Groups deleted or removed from the 15Five application within Okta will be deleted within 15Five.

Prerequisites

Before you configure provisioning for 15Five: 

1. Make sure you have configured the General Settings and any Sign-On Options for the 15Five app.
2. Enable SCIM in your 15Five account and generate an Access Token.

Configuration Steps

Configure your App Settings:

• Enter an Application label (15Five or 15Five SCIM is encouraged).
• Enter your subdomain. For example, if you log into 15Five via https://acme.15five.com, enter “acme” for the subdomain.

Configure your Sign On methods settings:

For SAML 2.0 enabled 15Five customers, simply select the SAML 2.0 radio button option under Sign On Methods. No relay state is required.

For all other 15Five customers, select Secure Web Authentication and then Administrator sets username, the user sets the password. 

Configure your Provisioning settings for 15Five as follows:

• Check the Enable provisioning features box.
• API Credentials:
• OAuth Bearer Token: Place the Access Token from 15Five here. 
• Click the Test API Credentials button and check that your credentials were verified successfully.
• NOTE: The *Public API* key is 32 characters long. The *SCIM* key is 30 characters long.

Scroll down and select the Provisioning Features you want to enable.

• Under User Import, ensure that the following are set:
• Schedule Import: never
• Okta username format: Email Address

• Ensure that Profile Master is NOT enabled.
• Ensure Create Users is enabled. 
• Ensure Update User Attributes is enabled. 
• Ensure Deactivate Users is enabled. 
• Read through the section entitled Syncing Passwords in this guide to decide if you would like to have Okta sync passwords with 15Five.

You can now assign people to the app (if needed) and finish the application setup.

Syncing Passwords

Okta can be configured to sync passwords with 15Five. This sync direction is from Okta to 15Five. That is, passwords are only ever sent from Okta to 15Five for a user; never from 15Five to Okta.

If Sync Password is enabled, the password sent from Okta to 15Five must be randomly generated. For added security, check the Generate a new random password whenever the user's Okta password changes checkbox next to Password Cycle.

If your company uses SSO with 15Five, do not enable Sync Password. User authentication will be determined from the SAML setup associated with 15Five.

Emails

When giving 15Five access to an Okta user for the first time, a new user in 15Five will be created. If SSO is enabled for that user’s company in 15Five, that user will be sent a welcome email with a link to the SSO page at 15Five. If SSO is not enabled, that user will be sent a link to sign in and set their password.

When updating an Okta user’s password, that user’s 15Five password may be updated (depending on whether “Generate a new random password whenever the user’s Okta password changes” was checked or not). If SSO is enabled for the user’s company in 15Five, no password changes will occur for the user within 15Five. If SSO is not enabled in 15Five and Sync Password is enabled in Okta, then a user will receive an email with a link to reset their password in 15Five.

Troubleshooting + Support

Manager/Reviewer not syncing? 

Make sure that the manager exists within 15Five prior to provisioning. 15Five will ignore any manager assignments that include managers not present in 15Five. 

Okta sends the manager information present in the managerId field for a given user. The information in the field can be an email address for the manager or a 15Five ID for the user. Make sure this field is populated.

Finally, ensure that Sync Managers is enabled within 15Five's SCIM settings:
https://my.15five.com/scim/settings/

Changing a username?

15Five depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userName is updated but their email address is not. Ensure these two values (userName and email) are the same and retry the provision if has failed. 

Updates or de-provisioning not working for some users? 

Users added to 15Five before SCIM was enabled for the 15Five account my not be tracked by Okta. To make Okta aware of these users' membership in 15Five, perform an "Import" within Okta. Under the 15Five app in Okta, find the "Import" tab, and click "Import Now".

A list of 15Five users and possible associations with Okta users will be populated below. Click "Confirm Assignments" and these users will now be tracked, updated, and de-provisioned by Okta. 

This integration is built and supported by 15Five and our Support Team. Contact the 15Five Support Team at support@15five.com if any issues arise. Thanks!