If you use Okta as your identity provider, please follow this guide to set up the SCIM protocol for your Tomorro organization.
Note: only an admin can manage these settings on Tomorro.
If you're already using a Tomorro application for, say, a SAML connection, go straight to step 2.
Step 1 - Create an application on Okta
In your administrator area, go to the "Applications" section in the left-hand navigation
Click on "Create an application"
Select "SAML 2.0", then click "Next"
Write the name of the application, for example, "Tomorro", then add a logo
Here you need to configure SAML, as described in this article. Make sure you fill in the parameters as shown in the screenshots below, then click "Next" at bottom right
Choose the first option, then click on "Finish" at bottom right
Step 2 - Enable SCIM provisioning on your application
On the application page, open the settings in the "General" section, then activate the edit
Enable SCIM provisioning, then save
Go to the "Provisioning" settings, then activate the edition
Fill in these first parameters as shown in the following screenshot, then open the Tomorro SCIM integration module in another tab
Enter the information from Tomorro's SCIM module in the SCIM connector base URL and Authorization fields as shown below, then test the connection
This is what you should see. Then close this window and save
Step 3 - Set up SCIM provisioning for your application
You should be on the "Provisioning" page of your Tomorro application. Activate editing, select the first three parameters "Create users", "Update User Attributes", and "Deactivate Users", then save.
At the bottom of this page, you'll find the attribute mapping. Delete all superfluous attributes, leaving only "Username", "Given name", "Family name" and "User Type", by clicking on the cross at the far right of the line
Step 4 - Choose which Okta groups to create in Tomorro
You can automatically re-create Okta groups in your Tomorro application. To do this, go to the "Push groups" section in the application
Choose "Push groups", "Find groups by name", search for the group you wish to create from Okta to Tomorro, then save. You'll now see it in your Tomorro groups under the same name
Step 5 - Provision users via groups
To give access to the application directly from Okta groups, you need to assign the application to them. To do this, go to "Groups", under "Directory", in the left-hand navigation
Click on one of your Okta groups, then go to "Applications"
Assign the Tomorro application to a group
We've done it! All members added to this group will be provisioned directly in Tomorro. If the group is itself pushed to Tomorro, then they will also be added to this group, allowing you to give them access to the right folders, templates and projects without any extra effort
Step 6 - Provision users individually
You can also assign the Tomorro application to individual users. To do this, go to "People" under "Directory" in your left-hand navigation
In the "Applications" section, select "Assign Application", and follow the same procedure as for groups. The user will be automatically provisioned in Tomorro
Step 7 - Choose the Tomorro role for your users from Okta
From Okta, you can also define which Tomorro role your users will have (admin, manager, contributor). This can be done at group or individual level. By default, members will be created as contributors.
Here are the values to be entered in the "User Type" field and their correspondence in Tomorro
Okta attribute ➡️ Tomorro role
admin ➡️ Admin
manager ➡️ Manager
user ➡️ Contributor
1. From groups
When assigning an application to a group, an attribute window appears, allowing you to assign values automatically. You can fill in the "User Type" value from this window, so that all users associated with this group automatically have the correct role in Tomorro
2. From individual users
In a user profile, open the "Profile" section, then activate edit
Find the "User Type" field, and assign the appropriate value. Confirm the value by pressing the "Enter" key, or via the Save button at the bottom of the page
And that's it, the SCIM protocol is now enabled for Tomorro! 🚀
Additional information, our tips!
Groups created on Tomorro cannot be back-synchronized with Okta groups. We recommend that you recreate these groups from Okta, then use these new groups provisioned via SCIM to add access to the various Tomorro folders and models. This is a time-saving investment that will save you valuable time in the long term, automating more granular access to Tomorro directly from Okta.
It may be clearer and more efficient to separate "access" and "permissions" groups. You could have different groups for your departments, or geographical areas, giving access to certain templates or parts of your contract library, and then have an "Admins" group and a "Managers" group that set the userType attribute.