> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Walkthrough for Okta WIC Connection Setup via OpenID SCIM

# Inbound SCIM for Okta Workforce Connections

<Card title="Before you start">
  Enable Okta Workforce Identity as an identity provider by following the instructions on the [Identity Providers help page](/docs/authenticate/identity-providers/enterprise-identity-providers/okta).

  This integration will require two applications to be registered in Okta Workforce: the OpenID Connect integration and the SCIM integration. The same users and groups must be assigned to both. To eliminate this requirement and streamline the setup process for your customers, [submit your app to the Okta Integration Network](https://developer.okta.com/docs/guides/submit-app-overview/).
</Card>

This section describes how to configure a custom <Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect and SCIM app integration in an Okta Workforce Identity tenant, which can be used to provision users to your Auth0 SCIM endpoint.

For information on configuring a <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> and SCIM integration with Okta Workforce Identity, see [Inbound SCIM for Okta Workforce SAML Connections](/docs/authenticate/protocols/scim/inbound-scim-for-okta-workforce-saml-connections) instead.

### Configure SCIM settings in Auth0

1. Launch the [Auth0 Dashboard](https://manage.auth0.com/#/) and go to the **Authentication > Enterprise > Okta Workforce > \[your-connection] > Provisioning.**
2. Disable **Sync user profile attributes at each login** unless you want to [sync additional attributes at login](/docs/authenticate/protocols/scim/configure-inbound-scim).
3. In the same section, enable **Sync user profiles using SCIM**.
4. On the **Mapping** tab, ensure the **SCIM attribute containing the User ID** is set to **externalId**.

You can also check **Additional Mappings** to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes.

### Retrieve SCIM endpoint URL and token

1. In the Auth0 dashboard, browse to the SCIM **Setup** tab and copy the **SCIM Endpoint URL,** then paste it somewhere safe.
2. Select **Generate New Token** and set an optional expiration date for the token. You can optionally select the scopes you want to grant to Okta Workforce; the default requires scopes used by Okta Workforce are `get:users`, `post:users`, and `put:users`.

### Configure SCIM in Okta Workforce for OIDC Apps

1. Confirm that an OpenID Connect application [has already been registered](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) in the Okta Workforce tenant for OIDC-based user authentication.
2. Confirm that your OpenID Connect application has [disabled Federation Broker Mode](https://help.okta.com/en-us/content/topics/apps/apps-fbm-main.htm).
3. Register a second application in the Okta portal by selecting **Applications** > **Applications,** then choose **Create App Integration, Secure Web Authentication**, and **Next**.
4. On the **General App Settings** page, set a name and a URL, then select **Do not display application icon to users**. The URL entered is not used in the SCIM integration.
5. Select **Finish**.
6. Navigate to the **General** tab, then choose **Edit** and go to the **Provisioning** section.
7. Choose **SCIM,** then **Save**.
8. Navigate to the integration's **Provisioning** tab and then the **Integration** tab.
9. Select **Edit,** then go to the **SCIM connector base URL** section and enter the **SCIM Endpoint URL** value you copied earlier.
10. For **Unique identifier field for users**, enter **userName**.
11. Under **Supported provisioning actions**, select **Push New Users** and **Push Profile Updates,** then choose **HTTP Header** as the **Authentication Mode.**
12. Paste the token value into the **Authorization** field, picking **Test Connection Configuration** if you want to test the connection. Choose **Save**.
13. Browse to **Provisioning > Settings > To App** and choose **Edit**.
14. Enable **Create Users, Update User Attributes,** and **Deactivate users.** Choose **Save**.
15. Under the **Attribute Mappings** section, use the **X** button to **delete** the following lines, which are not needed and may cause issues during PUT operations:

<table class="table">
  <thead>
    <tr>
      <th>Attribute</th>
      <th>Value</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Primary email type</td>
      <td><code>(user.email != null && user.email != '') ? 'work' : ‘'</code></td>
    </tr>

    <tr>
      <td>Primary phone type</td>
      <td><code>(user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ‘'</code></td>
    </tr>

    <tr>
      <td>Address type</td>
      <td><code>(user.streetAddress != null && user.streetAddress != '') ? 'work' : ‘'</code></td>
    </tr>
  </tbody>
</table>

Use the **Attribute Mappings** section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read [Okta's help section](https://support.okta.com/help/s/article/Receiving-Invalid-externalNamespace-task-error-when-assigning-a-user-to-a-SCIMenabled-application).

You can now test user provisioning in the **Assignments** tab and test update operations by editing the user attributes in the **Directory > People** section of your Okta admin portal.
