--- id: provision-with-okta title: Provision with Okta sidebar_label: Provision with Okta description: Learn how to provision users in Sumo Logic with Okta. slug: /help/docs/manage/security/scim/provision-with-okta/ canonical: https://www.sumologic.com/help/docs/manage/security/scim/provision-with-okta/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; This article describes how to provision users in Sumo Logic with Okta. ## Prerequisites ### Create an access key Create an [access key](/docs/manage/security/access-keys/). (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from Okta into Sumo Logic. When you create the access key, copy its access ID and access key values. You will enter these when you set up provisioning to use one of the following authorization methods: * Basic authentication * Username: Access ID * Password: Access key * Bearer token
Use [Base64 encoding](https://www.base64encode.org/) to Base64 encode `:`. ### Set up SAML If it is not already set up, [set up SAML for single sign-on with Okta](/docs/manage/security/saml/integrate-sumo-logic-with-okta/) in the Sumo Logic instance where you will provision users. This will allow connection to Sumo Logic for provisioning. Copy the single sign-on URL (Assertion Consumer URL) and entity ID from your Sumo Logic SAML configuration. You will use them when you set up provisioning. ACS and entity ID from Sumo Logic

## Configure provisioning with Okta ### Step 1: Create the app 1. [Log in to Okta](https://login.okta.com/) as an administrator. 1. Navigate to **Applications > Applications** and click **Create App Integration**.

1. Select **SAML 2.0** and click **Next**.
Select SAML 2.0

1. Provide a name in the **App Name** field and click **Next**.
App Name field

1. Enter the **Single sign-on URL** and **Audience URI (SP Entity ID)** for your Sumo Logic instance:
Configure SAML for the app

Obtain the single sign-on URL (Assertion Consumer URL) and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users (see [Prerequisites](#prerequisites)).
ACS and entity ID from Sumo Logic

1. Click **Next** and click **Finish**. The app displays in Okta.
New app in Okta

### Step 2: Set up provisioning 1. Configure the general settings for the app: 1. Click the **General** tab. 1. Click **Edit** in the upper-right corner of the **App Settings** dialog for the app. 1. For **Provisioning**, select **SCIM**.
SCIM provisioning setting for the app

1. Click **Save**. A **Provisioning** tab appears for the app. 1. Configure provisioning integration settings: 1. Click the **Provisioning** tab. 1. Click **Integration** in the left menu, and then click **Edit**. 1. **SCIM connector base URL**. Enter the [API endpoint for your deployment](/docs/api/about-apis/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for the [SCIM User Management APIs](/docs/api/scim-user/) using the format `/v1/scim/`. For example, `https://api.sumologic.com/api/v1/scim/`. 1. **Unique identifier field for users**. Enter `userName`. 1. **Supported provisioning actions**. Select: * **Import New Users and Profile Updates** * **Push New Users** * **Push Profile Updates** 1. **Authentication Mode**. Select one of these authentication methods and enter your Sumo Logic access key credentials (see [Prerequisites](#prerequisites)): * **Basic Auth**. Basic authentication method. If you choose this method, enter your access key credentials in the fields that appear: * **Username**. Enter your access ID. * **Password**. Enter your access key. * **HTTP Header**. HTTP authorization header method. If you choose this option, use [Base64 encoding](https://www.base64encode.org/) to encode `:` and enter the resulting value into the **Authorization | Bearer Token** field that appears.
Provisioning tab

1. Click **Test Connector Configuration**. The results display:

1. Click **Close** on the **Test Connector Configuration** dialog. 1. Click **Save** to save the app provisioning integration settings. 1. Configure provisioning **To App** settings: 1. Click the **Provisioning** tab. 1. Click **To App** in the left menu, and then click **Edit**. 1. Select **Enable** on: * **Create Users** * **Update User Attributes** * **Deactivate Users** 1. Click **Save**.
Provisioning to app

### Step 3: Set up roles 1. Add the **Roles** attribute to the default Okta user profile: 1. Navigate to **Directory > Profile Editor** and select **Okta User (default)**.
Okta Users tab

1. In the **Profile Editor**, click **Add Attribute**.
Add Attribute button

1. Add the **Roles** attribute to the provisioning app user profile: 1. Navigate to **Directory > Profile Editor** and select the user for the app you created in Step 1.
Add roles attribute to provisioning app user

Add roles attribute to provisioning app user

1. In the **Profile Editor**, click **Add Attribute**.
Add Attribute button

1. Fill out the **Add Attribute** dialog: 1. **Data type**. Select **string**. 1. **Display name**. Enter `Roles`. 1. **Variable name**. Enter `roles`. 1. **External name**. Enter `roles.^[primary==true].value`. 1. **External namespace**. Enter `urn:ietf:params:scim:schemas:core:2.0:User`. 1. For **Enum** select **Define enumerated list of values** and enter the same roles you added to the Okta user above: | Display name | Value | | :-- | :-- | | `User` | `user` | | `Administrator` | `administrator` | | `Analyst` | `analyst` | 1. **Attribute type**. Select **Group**. 1. Click **Save**.
Add roles attribute to provisioning app user

### Step 4: Set up attribute mappings 1. Navigate to **Applications > Applications** and select the app you created in Step 1.
New app in Okta

1. Edit the attributes pushed from Okta to the provisioning app. 1. Select **To App**. 1. Select the **Provisioning** tab and scroll down to the **`` Attribute Mappings** section. 1. Delete all the attributes except: * Username * Given name * Family name * Email
App attribute mappings

1. Edit attributes that will be pushed from the provisioning app to Okta. 1. Select **To Okta**. 1. Select the **Provisioning** tab and scroll down to the **Okta Attribute Mappings** section. 1. Delete all the attributes except: * User name * First name * Last name * Primary email
App attribute mappings

1. Edit the attributes in the app profile. 1. Navigate to **Directory > Profile Editor** and select the user for the app you created in Step 1.
Select app user in profile editor

1. Delete all the attributes except: * User name * Given name * Family name * Primary email * Roles

### Step 5: Assign the app to people 1. Select the app's **Assignments** tab. 1. Select **Assign > Assign to people**.

1. Select a user and click **Assign**.
Assign person

1. Select a role for the user.
Assign a role to the person

1. Click **Save and go back**. 1. Continue to assign users. When finished, click click **Done**. 1. The assigned users are displayed in the **Assignments** tab. ### Step 6: Verify provisioning As soon as users are assigned to the app, they are provisioned into Sumo Logic. 1. Verify in Okta: 1. Navigate to **Reports > System Log** to see the log. 1. The log should show that users you added to the app are pushed to Sumo Logic with an event info message like **Push new user to external application SUCCESS**. 1. Verify in Sumo Logic: 1. Log in to the Sumo Logic instance that you linked to the provisioning app in [Step 2](#step-2-set-up-provisioning) when you provided the Assertion Consumer URL and entity ID. 1. [**New UI**](/docs/get-started/sumo-logic-ui). In the main Sumo Logic menu select **Administration**, and then under **Users and Roles** select **Users**. You can also click the **Go To...** menu at the top of the screen and select **Users**.
[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Administration > Users and Roles > Users**. 1. Search for the users provisioned from Okta. 1. You should see the users listed, and with the role given to when you assigned them to the app in Okta. ## Syncing between Okta and Sumo Logic When you modify the name, email, or role of a user assigned the app in Okta, the changes will be synced to the corresponding user in Sumo Logic. If you unassign a user from the app in Okta, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from Okta.)