Prerequisites
SAML based SSO must be properly set up and functional before you start configuring automated provisioning.
The Klaxoon SCIM API requires a Secret Token related to a SCIM tenant URL. Get yours from Klaxoon beforehand (see here).
Before starting your first provisioning please be sure to be aware of the general Klaxoon SCIM rules.
Configuration
Please follow these steps
1 - Create a new app integration :
Applications > Applications > Create App Integration
2 - Choose SAML 2.0
3 - General Settings
Fill General Settings with information of your choice (Klaxoon SCIM is a good name to remember what this app is about)
4 - Configure SAML SSO
To connect and test your SSO connection with Klaxoon, get in touch with us. Our support team will be happy to help!
5 - “Feedback” section
When prompted in the “Feedback” section, say you are adding an internal app and click Finish.
6 - SCIM provisioning
Your app is created. In the general settings, you can now enable SCIM provisioning
7 - Provisioning
You can now jump to the new Provisioning tab and edit the SCIM Connection panel:
• For SCIM connector base URL use the Klaxoon SCIM URL received from Klaxoon support. (This URL can be different from customer to customer due to the different Klaxoon hosting tenants)
• In the Unique identifier field type in “userName”
• Select Push New Users
• Select Push Profile Updates
• In Authentication Mode, select “HTTP Header” and paste your Secret Token in the Bearer Token field.
8 - Test Connector Configuration
At the end of this step, the connection between Klaxoon and your Okta can be tested with the Test Connector Configuration button. You should see the following screen as a result. Close the modal and Save.
9 - Sync between Okta and Klaxoon
The next step is to enable precisely what you will sync between Okta and Klaxoon.
(Please notice that we will not use Okta as a provisioning target, so the whole “To Okta” settings page is not relevant for us.)
In the “To App” settings page, do the following configuration:
• Enable Create Users
• Enable Update Users Attributes
• Enable Deactivate Users
10 - Attributes Mappings
Below you will see the Attributes Mappings between Okta and Klaxoon.
Here is the minimum mapping we need to provision users in Klaxoon:
(it is not a problem to have more attributes mapped but Klaxoon will not use them)
11 - Sync your users
You can now try to sync your first users by assigning them to this Klaxoon SCIM app you’ve just configured. Be aware that for now you are not taking care of the licensing information, so the synced users will not receive a PRO license. Use fresh users who do not already have a Klaxoon license to avoid messing up with their licenses.
As soon as the user is assigned to the app, Okta sends a request via SCIM and Klaxoon creates the user. You can check by looking at the Reports > System Log and you will see the operations that just happened behind the scene.
12 - Licensing information
To add the licensing information you will need a custom attribute and map it to Klaxoon.
There are different valid ways to configure this in Okta, below is our recommendation that respects the Klaxoon SCIM rules as described here.
12.1 - Create the Okta user attribute
To do so, go to Directory > Profile Editor and choose the Okta User (default). Then click Add Attribute and reproduce below configuration:
• Data type: string
• Display name: Klaxoon License
• Variable name: klaxoon_license
Define enumerated list of values as:
• PRO: value = true
• FREE: value = false
12.2 - Create the Klaxoon user attribute
To do so, go to Directory > Profile Editor and choose your freshly created Klaxoon app. Then click Add Attribute and reproduce below configuration:
• Data type: string
• Display name: Klaxoon License
• Variable name: klaxoon_license
• External name: license
• External namespace: urn:ietf:params:scim:schemas:extension:klaxoon:2.0:User
Define enumerated list of values as:
• PRO: value = true
• FREE: value = false
• Scope: User personal
12.3 - Map both attributes together
Click on the Mappings button and choose Okta User to your app.
(Are you lost? Go to Directory > Profile Editor > your Klaxoon app and then you’ll find the Mappings button)
At the end of the mapping, add the user.klaxoon_license attribute from Okta user to the klaxoon_license attribute of the Klaxoon user.
Save the mapping and confirm to Apply updates now (see related screenshot below).
13 - Add licensing information to your users
You can now add licensing information to your users. Edit their profile and set their Klaxoon License attribute to PRO to give them a license and check in Reports > System Log that everything went fine.