Configure Okta for Genesys Cloud SCIM (Identity Management)

Note: This article applies to Genesys Cloud SCIM (Identity Management).

To use Genesys Cloud SCIM (Identity Management), configure Okta to sync user entities to Genesys Cloud. In Okta Integration Network, add an application that you configure to work with the SCIM APIs. Then link Okta groups to Genesys Cloud.

Important: Genesys Cloud currently only supports unidirectional syncing from identity management systems to Genesys Cloud.  Any changes made in Genesys Cloud will not be synced to the identity management systems and may be overwritten. For more information, see Does Genesys Cloud SCIM sync information from Genesys Cloud to identity management systems?.

Prerequisites

Token generation

Generate a token to use for Provisioning.

  1. Open Postman.
  2. Import the Genesys Cloud Client Credentials collection for the appropriate collection format from the following links:
    • Collection Format v1: https://www.getpostman.com/collections/06d3bac569ec729f0a59
    • Collection Format v2: https://www.getpostman.com/collections/b4f0048c7fc833b914c2
  3. Replace {{environment}} in the POST API call with the login URL where your Genesys Cloud organization is located, for example, https://login.mypurecloud.com/oauth/token. For a list of regional URLs, see Platform API (Genesys Cloud Developer Center). 
  4. Under Authorization, add the following information:
    1. Username: Enter the Client ID from the Genesys Cloud OAuth client you created.
    2. Password: Enter the Client Secret from the Genesys Cloud OAuth client you created.
  5. Click Send. Your access token appears in the response body. You will use this token when you provision Okta. See the Provisioning section.

Application setup

Add the Genesys Cloud application.

  1. Log in to Okta Integration Network.
  2. Click Add Application.
  3. Search for and click Genesys Cloud.
  4. Click Add.

Sign On

Configure the Application username format.

  1. Under Settings, click Edit.
  2. For Application username format, select Email.
  3. Click Save.

Provisioning

The Genesys Cloud SCIM application in Okta supports the following provisioning features:

To App

  1. (Optional) Enable Create Users.
  2. (Optional) Enable Update User Attributes. This setting allows Okta to update a user’s attributes when the app is assigned. Future attribute changes in Okta user profiles automatically replace the corresponding attribute value in the Genesys Cloud application.
  3. (Optional) Enable Deactivate Users. This setting deactivates users account in the Genesys Cloud application when the account is unassigned or deactivated in Okta. 
  4. (Optional) Enable Sync Password. This setting creates a password for each user and pushes the passwords to the Genesys Cloud application.
  5. (Optional) Attribute mappings. The Okta application automatically configures mappings for multiple phone numbers and email addresses. You can modify these mappings or add new attributes to the existing mappings.

    The mappings allow a one-way push from Okta to Genesys Cloud. For a table that shows the relationship between SCIM and Genesys Cloud fields, see SCIM and Genesys Cloud field mappings.

    Important: Genesys Cloud converts any phone numbers from Okta to the E.164 format. As a result, if you configure Okta to pull phone numbers from Genesys Cloud that are different, you will cause continual updates due to differences in the phone number formatting. To prevent continual updates, convert phone numbers in Okta to conform to the E.164 format.

Integration

Enter admin credentials and test the connection.

  1. Under Provisioning, click Integration.
  2. Add the following information.
    1. SCIM Domain: Enter the URL of the SCIM endpoint. Use the domain associated with the location of your Genesys Cloud organization:
      Genesys Cloud region Domain
      Americas (Canada) api.cac1.pure.cloud
      Americas (US East) api.mypurecloud.com
      Americas (US West) api.usw2.pure.cloud
      Asia Pacific (Mumbai) api.aps1.pure.cloud
      Asia Pacific (Seoul) api.apne2.pure.cloud
      Asia Pacific (Sydney) api.mypurecloud.com.au
      Asia Pacific (Tokyo) api.mypurecloud.jp
      EMEA (Dublin) api.mypurecloud.ie
      EMEA (Frankfurt) api.mypurecloud.de
      EMEA (London) api.euw2.pure.cloud
    2. API Token: Enter the bearer token. The bearer token is the access token returned when you made an API call in Postman. See the Token generation section.
  3. Click Test API Credentials.
  4. Click Save.

Groups

Link groups that you want to sync from Okta to Genesys Cloud. 

Notes:
  • Provisioning cannot create or delete groups in Genesys Cloud. 
  • Group names must be the same (case insensitive) in both applications. Otherwise, Okta cannot sync user membership to Genesys Cloud.

  1. Click the Push Groups tab.
  2. Click the Push Groups button and search for groups to push.
    Tip: Genesys recommends linking groups that are exact matches in both Okta and Genesys Cloud. Otherwise, Okta will attempt to rename the group, which could cause confusion if resources other than Okta and the Genesys Cloud application use this group.

    Notes: The Push Now action of group sync has an unusual behavior of removing a large number of members from a group. If you use the group to assign roles in Genesys Cloud, a large number of members of the group can lose permissions for an extended time. Genesys Cloud SCIM blocks any single action that tries to remove more than 1000 members from a group and protects you from this unusual behavior of Push Now action.
  3. Click Save.

For more information, see Configure Group Linking in the Okta documentation.

For information about issues, see Troubleshoot Genesys Cloud SCIM (Identity Management).

For information about Genesys Cloud SCIM (Identity Management), see About Genesys Cloud SCIM (Identity Management) and Genesys Cloud SCIM (Identity Management) overview (Genesys Cloud Developer Center).