1. 15Five Help Center
  2. Company administration
  3. Manage integrations
  4. Employee data management integrations

Configure SCIM with Okta

Avatar
Kristin Reynolds

Optimizing workplace efficiency begins with streamlined systems. 15Five's SCIM-based integration with Okta offers businesses a cutting-edge solution for identity management. By bridging the gap between these two platforms, companies can effortlessly onboard new employees and maintain accurate, real-time data— eradicating the potential for manual errors and saving countless administrative hours.

What you'll find in this article:

Access and availability

⛔️ Required access to Manage integrations.
👥 This article is relevant to Account admins.
📦 This feature is available in all pricing packages.

✏️

Note

Customers typically enable Single Sign-On (SSO) and SCIM together. Check out our article on SSO to see if it could be a good fit for your company. If you want to set up SSO, please set it up prior to setting up SCIM.

Integration Overview

Functionalities

The 15Five <> Okta SCIM integration allows you to...

  • Create new users: Creating a new user in Okta and assigning them to the 15Five application will create a new user in 15Five.
  • Sync profile updates: Updates to a user's data in Okta will be pushed to 15Five.
  • Deactivate users: Deactivating the user or disabling the user's access to 15Five within Okta will deactivate the user in 15Five.
  • Import new users to Okta: Users created in 15Five can be pulled into Okta and turned into new AppUser objects for matching against existing Okta users.
  • Sync groups and group membership: Groups created in Okta can be pushed to 15Five.
  • Pull groups into Okta: Groups created in 15Five can be pulled into Okta for reference.
  • Delete groups: Groups deleted or removed from the 15Five application in Okta will be deleted in 15Five.

Attributes

You can sync the following attributes from Okta to 15Five:

  • First name
  • Last name
  • Email
  • Title
  • Employee number
  • Location
  • Manager ID
  • Start date
  • Hire date
  • Termination date
  • Custom attributes
  • Group ID
  • Group name
  • Group members

For more information on how to sync these fields, please refer to the "Sync data from Okta > 15Five" section of this article.

Set up SCIM with Okta

In 15Five In Okta
  1. If you plan to use Okta for SSO, set up SSO prior to continuing.
  2. Click the Settings gear in the top, right-hand corner of 15Five.
    Open Settings.png
  3. Select 'Integrations' from the dropdown menu.
    Integrations.png
  4. Click on Enable to the right of the SCIM 2.0 option.
    SCIM-2.0.png
  5. Check the box next to "Enabled" and Save.
    Save-SCIM.png
  6. Click Generate OAuth token.
    Generate-OAuth.png
  7. An access token will be generated for you.
    Generate-Access-Token.png
  8. Now, refer to the "In Okta" tab for steps on how to finish setting up the integration in Okta.

Sync data from Okta > 15Five

Provision users

  1. In Okta, navigate to the Provisioning tab > To App subtab and make sure the following settings are enabled:
    • Create Users Update
    • User Attributes Deactivate
    • Users Sync Password (optional): Read through the section entitled Syncing Passwords in this guide to decide if you would like to have Okta sync passwords with 15Five. 6.png
  2. Map your attributes to the corresponding fields in 15Five using the chart below:
    Attribute Attribute type Value
    Username
    userName     		Personal Configured in Sign On settings
    Given name
    givenName     		Personal user.firstName
    Family name
    familyName     		Personal user.lastName
    Primary email
    email     		Personal user.email
    Title
    title     		Personal user.title
    Employee number
    employeeNumber     		Personal user.employeeNumber
    Location
    location     		Personal String.join(", ", user.city, user.state, user.countryCode)
    Start date
    startDate     		Personal user.startDate
    Hire date
    hireDate     		Personal user.hireDate
    Termination date
    terminationDate     		Personal user.terminationDate
    Manager ID
    managerId     		Personal user.managerId
    ✏️

    Note

    Syncing managers: Some organizations have a main system that feeds employee data into Okta. If you're one of them, make sure when you sync manager details, the information from your main system (or "primary source") is in a format that 15Five understands (e.g. email address or Okta employee ID). If it's not a format we recognize, the manager's info will show up as empty in 15Five.

  3. Assign the 15Five application to employees. Taking this action triggers an invite email to be sent and gives assigned employees immediate access to the platform.
    💡

    Tip

    If you want to delay provisioning an employee to 15Five before a certain date, check out the "Sync start dates" section of this article. This step must be taken before assigning them to the 15Five app in Okta.

Sync groups

You have the option to sync groups from Okta to 15Five or associate current Okta groups with existing groups in 15Five.

Some things to note before you begin:

  • Group ID, name, and members are the only group attributes synced from Okta > 15Five.
  • Groups created in 15Five and imported to Okta cannot be deleted or changed in Okta— they must be managed in 15Five.
  • Since groups imported from 15Five into Okta are not editable within Okta, we suggest creating groups in Okta first and then pushing those groups to 15Five.
Sync a group from Okta to 15Five
  1. Create the group in Okta.
  2. Click the Push Groups button in Okta.
  3. Once the group syncs to 15Five, go to the "Manage groups" page in 15Five (Settings > People > Manage groups). The group will appear in the "Groups" group type.
  4. If desired, move the group to a new group type. Because the only group attributes that sync from Okta to 15Five are ID, name, and members, future SCIM syncs will not override the group type change.
Associate a 15Five group with a group in Okta

If a group in Okta has the same name as an existing group in 15Five, pushing the group from Okta to 15Five will not create a new group. Instead, the group from Okta will overwrite the membership of the group in 15Five.

  1. Create a group with the same name in Okta. For example, if a "Leadership" group exists in 15Five, create a "Leadership" group in Okta.
  2. Add members to the group in Okta.
  3. Push the group to 15Five.
✏️

Note

If you notice a delay in changes syncing from Okta to 15Five, try performing a force sync in Okta. If that doesn't resolve the issue, contact our Support Team and we can take a look.

Sync start, hire, or termination dates

You can send start, hire, and termination dates from Okta to 15Five.

  • Start dates refer to the date that an employee gains access to 15Five. Adding a start date for an employee allows you to delay their email invites and their access to the platform. On the specified date, they will be sent an email notifying them that they can log in. To delay a person's invite, you must add a start date before assigning them to 15Five in Okta. Otherwise, they will immediately receive a welcome email and have access to the platform upon assignment.
  • Hire dates refer to the date that an employee began at the company. This attribute can be pulled into engagement surveys to populate system groups that allow you to measure the engagement of people in different hiring cohorts or tenure bands.
  • Termination dates refer to the date that an employee was terminated or departed from a company. This attribute can be used in the HR Outcomes Dashboard to help measure regrettable turnover within your organization.

Sync start, hire, or termination dates

  1. Navigate to Okta and open the configuration tabs for 15Five.
  2. Under the "Provisioning Tab", click on the "Go to Profile Editor" button.
  3. Click "Add Attribute" and fill in the following:
    • Display Name: Start Date / Hire Date / Termination Date
    • Variable Name: startDate / hireDate / terminationDate
    • External namespace: urn:ietf:params:scim:schemas:extension:15Five:2.0:User
    • Scope: Check "User personal"
    • Other settings can be left "as is"
  4. Click Save.
  5. Click "Mappings" and then "Okta User to 15Five".
  6. Select the field on your employees that you would like Okta to send as a Start/Hire/Termination date value. If the desired value doesn't already exist on your Okta User, create the custom attribute in Okta.
  7. Click "Save Mappings". The attribute will now be sent to 15Five.
Here are examples of what's expected in the various SCIM payloads:

POST / PUT Payload

...
"schemas": [
 "urn:ietf:params:scim:schemas:core::2.0:User",
 ... 
 "urn:ietf:params:scim:schemas:extension:15Five:2.0:User"
],
...
"urn:ietf:params:scim:schemas:extension:15Five:2.0:User": {
 "startDate": "12/15/2019"
}
...

PATCH Payload

{ 
  'schemas': ['urn:ietf:params:scim:api:messages:2.0:PatchOp'], 
  'Operations': [ 
    { 
      "op": "Replace", 
      "path": "urn:ietf:params:scim:schemas:extension:15Five:2.0:User",
      "value": "12/15/2019"
    }
  ] 
}

Sync custom attributes

You can sync custom attributes from Okta to 15Five by adding a new profile attribute within your SCIM app (15Five app) using an external name that is prefixed with custom_ and using the external namespaceurn:ietf:params:scim:schemas:extension:15Five:2.0:User. Once set up, you can then map a value from your IdP profile into the 15Five app profile. Learn how to create a custom attribute in Okta.

Disconnect the integration

  1. Go to the SCIM settings page.
  2. Uncheck the box to the left of "Enabled."
    Disable-SCIM.png
  3. Scroll to the bottom of the page and click Save.
    Save.png
  4. Once SCIM is deactivated, employee accounts will remain active but will no longer be automatically updated by Okta.

Troubleshooting and FAQs

What is the frequency of SCIM uploads from our IdP to 15Five?
It’s an on-demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.
Can SCIM update custom attributes in 15Five?
Yes. And if you are already familiar with adding custom attributes to your IdP, then you can add a new profile attribute within your SCIM app (15Five app) using an external name that is prefixed with custom_ and uses the external namespaceurn:ietf:params:scim:schemas:extension:15Five:2.0:User. Once set up, you can then map a value from your IdP profile into the 15Five app profile.
If SCIM is on, can I still add people on a one-off basis?
No, if SCIM is on you cannot manually add users via the 'Manage people' page or the team 15Five page. Importing new users via CSV is an option if SCIM is enabled for your organization. Please reach out to Support at support@15Five.com to get this turned on for your company.
Can Okta sync passwords with 15Five?
Yes: Okta can be configured to sync passwords with 15Five. This sync direction is from Okta to 15Five, never from 15Five to Okta. If Sync Password is enabled, the password sent from Okta to 15Five must be randomly generated. For added security, check the ‘Generate a new random password whenever the user's Okta password changes' checkbox next to 'Password Cycle'. If your company uses SSO with 15Five, do not enable 'Sync Password'. User authentication will be determined from the SAML setup associated with 15Five.
We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with users that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.
Can I sync employee timezones via SCIM?
Not at this time.
Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group admin?
It is advisable to pass over the groups through IdP. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.
Why isn't the Manager- Reviewer field syncing?

There are a few potential reasons for this:

  1. Confirm that ‘Sync Managers’ is selected in your SCIM settings.
  2. Did the manager exist in 15Five before assigning them to the employee in Okta? If not, try a ‘Force Sync’ or changing their manager field to initiate another sync. You can review the system logs within Okta for details about what jobs have taken place.
  3. Confirm that your managerId or managerEmail attributes are mapped correctly.
    7__1___1___1_.png
  4. If you have a downstream software connecting to Okta, confirm that the id mapped from that software to Okta is an id that is passed to 15Five. We verify users by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If we do not see an ID we recognize, often the reviewer field will appear blank in 15Five.
  5. Modify the user(s) profile in some way (perhaps by altering an unused field (State, Zip, etc)). Bulk modification of users is possible in Okta.
  6. Un-assign and re-assign the direct report to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned user(s).
I’m not seeing the ‘Start Date’ or ‘Location field syncing from Okta to 15Five— why?
Make sure you are on the most recent version of the 15Five application. Follow this guide to migrate.
Why am I receiving an "Email address already in use" error when creating a user?
This error often occurs when a user was added to 15Five manually or prior to SCIM being enabled. See the answer below under "Why aren't updates or de-provisioning working for some users?" to troubleshoot.
Why aren't updates or de-provisioning working for some users?
This issue often occurs when a user was added to 15Five manually or prior to SCIM being enabled. To make Okta aware of these users' membership in 15Five, perform an "Import" within Okta. Under the 15Five app in Okta, find the "Import" tab, and click "Import Now". A list of 15Five users and possible associations with Okta users will be populated below. Click "Confirm Assignments" and these users will now be tracked, updated, and de-provisioned by Okta. Please make sure all of the users you would like to import from 15Five are active as inactive users will not be imported by Okta.

If users are still not imported into Okta after an "Import Now" operation, then Okta's suggested course of action is the following:

  1. Perform a "Force Sync" on the "provisioning" tab's page.
  2. Modify the user(s) profile in some way (perhaps by altering an unused field
    3. (State, Zip, etc)). Bulk modification of users is possible in Okta.
  3. Un-assign and re-assign the user(s) to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned user(s).
Why am I seeing the error "Automatic provisioning of user to app failed: Error while reactivating user: Not Found. Errors reported by remote server: Resource None not found"?
If a user has not been synced with Okta prior to their deactivation within 15Five, Okta will not know about them and will not be able to take action on them. Please re-activate (within 15Five) the user you would like to sync with Okta, and then perform an import within Okta as described in the "Why aren't updates or de-provisioning working for some users?" section above.
Was this article helpful?
2 out of 4 found this helpful