This is a premium product add-on and must be purchased and configured through your Account Manager.
System for Cross-domain Identity Management (SCIM) is a protocol that enables automated user provisioning and de-provisioning between different identity systems. It allows Okta to communicate with the MANTL Console to exchange user identity information and perform provisioning and de-provisioning actions automatically.
- Considerations
- Prerequisites
- Supported Features
- Supported Attributes
- Configuration Steps
- Troubleshooting
Considerations
When choosing to use SCIM provisioning, consider the following:
- MANTL's implementation of SCIM maps Okta groups one-to-one with MANTL roles.
- The Mantl Console does not supported nested roles.
- When SCIM is enabled for your organization in MANTL, users and roles in the MANTL Console will become read-only.
- While you will be able to update a role's description and associated permissions, you will not be able to otherwise edit roles using the MANTL Console. e.g. a role's name or user associations.
- User profiles and roles will need to be updated in Okta.
- Permissions and their associations to roles will still be edited in the MANTL Console.
- Users can only be deactivated, not deleted.
- If a user is off-boarded or unassigned from a relevant group in Okta, their status in MANTL updates accordingly.
- All other historical information associated with that user will remain in MANTL.
- Deactivated users can be reenabled without creating a new user in MANTL by reassigning them.
- For organizations with multiple clients (i.e. brands) they may manage client assignment either at the user or role level.
-
By default client assignments are made at the user level and managed within the Console. The system default is to assign all clients to a user. As a result, admins would update a user via the Console to limit client access as needed.
-
Managing client assignments via roles may be desirable for organizations that have many users with varying client access. In this case, a group system will need to be created in Okta to control client assignments, after which client/role assignment can be managed via the Console, similar to permission/role assignment.
-
Prerequisites
- Before getting started in Okta, your Customer Success Manager (CSM) will provide you with an access token for authenticating SCIM requests.
- Because the token is highly sensitive information, this will be sent to you using your preferred secured messaging platform and not emailed.
Supported Features
- Create users
- Update user attributes
- Deactivate users
- Import users
- Group push
- Import groups
Supported Attributes
MANTL supports the following attributes when working with SCIM provisioning in Okta:
- First / Last Name: Users in the MANTL Console are required to have first and last name attributes only. Middle names, honorifics, prefixes and postfixes, display names, or nicknames do not get mapped to the MANTL Console. This may cause synchronization issues for some users if the first and last names are missing.
- Contact Info: MANTL only supports a single email address (required) and a phone number (optional) per user.
- Address: MANTL does not support physical address, locale, or time zone attributes for users.
- Core Code: Depending on your core configuration, some MANTL users have an optional attribute referred to as their Core Code. If this attribute is available in your core and in Okta, it can be mapped using the user.employeeNumber attribute.
Note: This value must contain only digits. Your CSM or implementation manager can work with you to set up your attribute mappings to pass this value between MANTL and Okta.
Configuration Steps
- If you have already added the MANTL app integration to your Okta account for SSO, skip to step 5 to enable user provisioning.
- In the Okta Admin dashboard, go to Applications > Applications > Browse App Catalog.
- Search "mantl", click the found app, then click Add Integration.
- On the General settings page, set the Application label and Base URL values, then click Done.
- Production
- Application label: MANTL
- Base URL: https://console.mantl.com
- UAT
- Application label: MANTL (UAT)
- Base URL: https://console.uat.mantl.com
- Production
- Navigate to the Provisioning tab, then click the Configure API Integration button.
- Check the Enable API Integration checkbox, then populate the API Token field with the access token provided by your CSM.
- MANTL does support the import groups feature, however, we generally recommend not using it. If your organization has used the MANTL Console for a period of time without SCIM, consult your CSM to determine if importing groups from MANTL is desirable.
- After testing the API credentials, click the Save button.
- Edit the Provisioning to App section of the To App sub-section.
- Check the boxes for Create Users, Update User Attributes, and Deactivate Users. Then click Save.
- Create roles in the MANTL Console by using the Push Groups tab, then finding groups by name or rule.
- After new roles are pushed into the MANTL Console, you or your CSM will assign permissions to them in the MANTL interface.
- Navigate to the Assignments tab, and assign people and/or groups to the app.
- Assign app integrations Okta docs
- Assigning a group will sync all the users in that group to MANTL, but will not create that group as a role in MANTL. Only groups that are selected on the Push Groups tab will be created in the MANTL Console.
Known Issues and Troubleshooting
- MANTL users are required to have first and last names. If either field is missing, an Okta user may error when attempting to sync.
If any unknown error occurs, contact support, and we can help you troubleshoot the issue.