Configure Okta for Genesys Cloud SCIM (Identity Management)

Note: This article applies to Genesys Cloud SCIM (Identity Management).

To use Genesys Cloud SCIM (Identity Management), configure Okta to sync user entities to Genesys Cloud. In Okta Integration Network, add an application that you configure to work with the SCIM APIs. Then link Okta groups to Genesys Cloud.

Important: Genesys Cloud currently only supports unidirectional syncing from identity management systems to Genesys Cloud.  Any changes made in Genesys Cloud will not be synced to the identity management systems and may be overwritten. For more information, see Does Genesys Cloud SCIM sync information from Genesys Cloud to identity management systems?.

Prerequisites

Token generation

Generate a token to use for Provisioning.

  1. Open Postman.
  2. Import the Genesys Cloud Client Credentials collection for the appropriate collection format from the following links:
    • Collection Format v1: https://www.getpostman.com/collections/06d3bac569ec729f0a59
    • Collection Format v2: https://www.getpostman.com/collections/b4f0048c7fc833b914c2
  3. Replace {{environment}} in the POST API call with the login URL where your Genesys Cloud organization is located, for example, https://login.mypurecloud.com/oauth/token. For a list of regional URLs, see Platform API (Genesys Cloud Developer Center). 
  4. Under Authorization, add the following information:
    1. Username: Enter the Client ID from the Genesys Cloud OAuth client you created.
    2. Password: Enter the Client Secret from the Genesys Cloud OAuth client you created.
  5. Click Send. Your access token appears in the response body. You will use this token when you provision Okta. See the Provisioning section.

Application setup

Add the Genesys Cloud application.

  1. Log in to Okta Integration Network.
  2. Click Add Application.
  3. Search for and click Genesys Cloud.
  4. Click Add.

Sign On

Configure the Application username format.

  1. Under Settings, click Edit.
  2. For Application username format, select Email.
  3. Click Save.

Provisioning

The Genesys Cloud SCIM application in Okta supports the following provisioning features:

To App

  1. (Optional) Enable Create Users.
  2. (Optional) Enable Update User Attributes. This setting allows Okta to update a user’s attributes when the app is assigned. Future attribute changes in Okta user profiles automatically replace the corresponding attribute value in the Genesys Cloud application.
  3. (Optional) Enable Deactivate Users. This setting deactivates users account in the Genesys Cloud application when the account is unassigned or deactivated in Okta. 
  4. (Optional) Enable Sync Password. This setting creates a password for each user and pushes the passwords to the Genesys Cloud application.
  5. (Optional) Attribute mappings. The Okta application automatically configures mappings for multiple phone numbers and email addresses. You can modify these mappings or add new attributes to the existing mappings.

    The mappings allow a one-way push from Okta to Genesys Cloud. For a table that shows the relationship between SCIM and Genesys Cloud fields, see SCIM and Genesys Cloud field mappings.

    Important: Genesys Cloud converts any phone numbers from Okta to the E.164 format. As a result, if you configure Okta to pull phone numbers from Genesys Cloud that are different, you will cause continual updates due to differences in the phone number formatting. To prevent continual updates, convert phone numbers in Okta to conform to the E.164 format.

Integration

Enter admin credentials and test the connection.

  1. Under Provisioning, click Integration.
  2. Add the following information.
    1. SCIM Domain: Enter the URL of the SCIM endpoint. Use the domain associated with the location of your Genesys Cloud organization:
      Genesys Cloud region Domain
      Americas (Canada) api.cac1.pure.cloud
      Americas (US East) api.mypurecloud.com
      Americas (US West) api.usw2.pure.cloud
      Asia Pacific (Mumbai) api.aps1.pure.cloud
      Asia Pacific (Seoul) api.apne2.pure.cloud
      Asia Pacific (Sydney) api.mypurecloud.com.au
      Asia Pacific (Tokyo) api.mypurecloud.jp
      EMEA (Dublin) api.mypurecloud.ie
      EMEA (Frankfurt) api.mypurecloud.de
      EMEA (London) api.euw2.pure.cloud
    2. API Token: Enter the bearer token. The bearer token is the access token returned when you made an API call in Postman. See the Token generation section.
  3. Click Test API Credentials.
  4. Click Save.

Groups

Link groups that you want to sync from Okta to Genesys Cloud. 

Notes:
  • Provisioning cannot create or delete groups in Genesys Cloud. 
  • Group names must be the same (case insensitive) in both applications. Otherwise, Okta cannot sync user membership to Genesys Cloud.

  1. Click the Push Groups tab.
  2. Click the Push Groups button and search for groups to push.
    Tip: Genesys recommends linking groups that are exact matches in both Okta and Genesys Cloud. Otherwise, Okta will attempt to rename the group, which could cause confusion if resources other than Okta and the Genesys Cloud application use this group.

    Notes: The Push Now action of group sync has an unusual behavior of removing a large number of members from a group. If you use the group to assign roles in Genesys Cloud, a large number of members of the group can lose permissions for an extended time. Genesys Cloud SCIM blocks any single action that tries to remove more than 1000 members from a group and protects you from this unusual behavior of Push Now action.
  3. Click Save.

To link large existing groups, use the following procedure:

  1. Click the Push Groups tab.
  2. Edit the group rule to empty the group.
  3. To configure the group under Push Groups, click Push Groups and add the Okta group so it starts syncing to the app.
  4. Update the group rule again to apply the correct conditions so users are added back into the group and pushed to the app.
  5. If the sync appears to stop, toggle the group’s status from Active to Inactive, then back to Active in the Push Groups list to restart the job.

If you use the Push Status dropdown and select Push Now, Okta attempts to remove all users from the target group in the application and starts dropping users. Then, the job can stall without showing an error. To recover from this state:

  1. In the Push Groups tab, unlink the Okta group from the app group. Do not delete the group in the application.
  2. Add the same Okta group again using the +Push Groups option. Okta will stop the stuck removal job and begin re-adding any missing users to the app group.

For more information, see Configure Group Linking in the Okta documentation.

For information about issues, see Troubleshoot Genesys Cloud SCIM (Identity Management).

For information about Genesys Cloud SCIM (Identity Management), see About Genesys Cloud SCIM (Identity Management) and Genesys Cloud SCIM (Identity Management) overview (Genesys Cloud Developer Center).