In your administrator area, go to the "Applications" section in the left-hand navigation

Click on "Create an application"

Select "SAML 2.0", then click "Next"

Write the name of the application, for example, "Tomorro", then add a logo

Here you need to configure SAML, as described in this article. Make sure you fill in the parameters as shown in the screenshots below, then click "Next" at bottom right

Choose the first option, then click on "Finish" at bottom right

On the application page, open the settings in the "General" section, then activate the edit

Enable SCIM provisioning, then save

Go to the "Provisioning" settings, then activate the edition

Fill in these first parameters as shown in the following screenshot, then open the Tomorro SCIM integration module in another tab

Enter the information from Tomorro's SCIM module in the SCIM connector base URL and Authorization fields as shown below, then test the connection

This is what you should see. Then close this window and save

You should be on the "Provisioning" page of your Tomorro application. Activate editing, select the first three parameters "Create users", "Update User Attributes", and "Deactivate Users", then save.

At the bottom of this page, you'll find the attribute mapping. Delete all superfluous attributes, leaving only "Username", "Given name", "Family name" and "User Type", by clicking on the cross at the far right of the line

You can automatically re-create Okta groups in your Tomorro application. To do this, go to the "Push groups" section in the application

Choose "Push groups", "Find groups by name", search for the group you wish to create from Okta to Tomorro, then save. You'll now see it in your Tomorro groups under the same name

To give access to the application directly from Okta groups, you need to assign the application to them. To do this, go to "Groups", under "Directory", in the left-hand navigation

Click on one of your Okta groups, then go to "Applications"

Assign the Tomorro application to a group

We've done it! All members added to this group will be provisioned directly in Tomorro. If the group is itself pushed to Tomorro, then they will also be added to this group, allowing you to give them access to the right folders, templates and projects without any extra effort

You can also assign the Tomorro application to individual users. To do this, go to "People" under "Directory" in your left-hand navigation

In the "Applications" section, select "Assign Application", and follow the same procedure as for groups. The user will be automatically provisioned in Tomorro

From Okta, you can also define which Tomorro role your users will have (admin, manager, contributor). This can be done at group or individual level. By default, members will be created as contributors.

Here are the values to be entered in the "User Type" field and their correspondence in Tomorro

When assigning an application to a group, an attribute window appears, allowing you to assign values automatically. You can fill in the "User Type" value from this window, so that all users associated with this group automatically have the correct role in Tomorro

In a user profile, open the "Profile" section, then activate edit

Find the "User Type" field, and assign the appropriate value. Confirm the value by pressing the "Enter" key, or via the Save button at the bottom of the page

Groups created on Tomorro cannot be back-synchronized with Okta groups. We recommend that you recreate these groups from Okta, then use these new groups provisioned via SCIM to add access to the various Tomorro folders and models. This is a time-saving investment that will save you valuable time in the long term, automating more granular access to Tomorro directly from Okta.

It may be clearer and more efficient to separate "access" and "permissions" groups. You could have different groups for your departments, or geographical areas, giving access to certain templates or parts of your contract library, and then have an "Admins" group and a "Managers" group that set the userType attribute.