Skip to main content
Setting up SCIM with Okta
Kim Giaoui avatar
Written by Kim Giaoui
Updated over a week ago

If you use Okta as your identity provider, please follow this guide to set up the SCIM protocol for your Tomorro organization.

Note: only an admin can manage these settings on Tomorro.

If you're already using a Tomorro application for, say, a SAML connection, go straight to step 2.

Step 1 - Create an application on Okta

  • In your administrator area, go to the "Applications" section in the left-hand navigation

  • Click on "Create an application"

  • Select "SAML 2.0", then click "Next"

  • Write the name of the application, for example, "Tomorro", then add a logo

  • Here you need to configure SAML, as described in this article. Make sure you fill in the parameters as shown in the screenshots below, then click "Next" at bottom right

  • Choose the first option, then click on "Finish" at bottom right

Step 2 - Enable SCIM provisioning on your application

  • On the application page, open the settings in the "General" section, then activate the edit

  • Enable SCIM provisioning, then save

  • Go to the "Provisioning" settings, then activate the edition

  • Enter the information from Tomorro's SCIM module in the SCIM connector base URL and Authorization fields as shown below, then test the connection

  • This is what you should see. Then close this window and save

Step 3 - Set up SCIM provisioning for your application

  • You should be on the "Provisioning" page of your Tomorro application. Activate editing, select the first three parameters "Create users", "Update User Attributes", and "Deactivate Users", then save.

  • At the bottom of this page, you'll find the attribute mapping. Delete all superfluous attributes, leaving only "Username", "Given name", "Family name" and "User Type", by clicking on the cross at the far right of the line

Step 4 - Choose which Okta groups to create in Tomorro

  • You can automatically re-create Okta groups in your Tomorro application. To do this, go to the "Push groups" section in the application

  • Choose "Push groups", "Find groups by name", search for the group you wish to create from Okta to Tomorro, then save. You'll now see it in your Tomorro groups under the same name

Step 5 - Provision users via groups

  • To give access to the application directly from Okta groups, you need to assign the application to them. To do this, go to "Groups", under "Directory", in the left-hand navigation

  • Click on one of your Okta groups, then go to "Applications"

  • Assign the Tomorro application to a group

  • We've done it! All members added to this group will be provisioned directly in Tomorro. If the group is itself pushed to Tomorro, then they will also be added to this group, allowing you to give them access to the right folders, templates and projects without any extra effort

Step 6 - Provision users individually

  • You can also assign the Tomorro application to individual users. To do this, go to "People" under "Directory" in your left-hand navigation

  • In the "Applications" section, select "Assign Application", and follow the same procedure as for groups. The user will be automatically provisioned in Tomorro

Step 7 - Choose the Tomorro role for your users from Okta

  • From Okta, you can also define which Tomorro role your users will have (admin, manager, contributor). This can be done at group or individual level. By default, members will be created as contributors.

  • Here are the values to be entered in the "User Type" field and their correspondence in Tomorro

Okta attribute ➡️ Tomorro role

admin ➡️ Admin

manager ➡️ Manager

user ➡️ Contributor

1. From groups

  • When assigning an application to a group, an attribute window appears, allowing you to assign values automatically. You can fill in the "User Type" value from this window, so that all users associated with this group automatically have the correct role in Tomorro

2. From individual users

  • In a user profile, open the "Profile" section, then activate edit

  • Find the "User Type" field, and assign the appropriate value. Confirm the value by pressing the "Enter" key, or via the Save button at the bottom of the page

And that's it, the SCIM protocol is now enabled for Tomorro! 🚀

Additional information, our tips!

  • Groups created on Tomorro cannot be back-synchronized with Okta groups. We recommend that you recreate these groups from Okta, then use these new groups provisioned via SCIM to add access to the various Tomorro folders and models. This is a time-saving investment that will save you valuable time in the long term, automating more granular access to Tomorro directly from Okta.

  • It may be clearer and more efficient to separate "access" and "permissions" groups. You could have different groups for your departments, or geographical areas, giving access to certain templates or parts of your contract library, and then have an "Admins" group and a "Managers" group that set the userType attribute.

Attachment icon
Did this answer your question?