> For the complete documentation index, see [llms.txt](https://developer.collibra.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://developer.collibra.com/api/guides/the-system-for-cross-domain-identity-management/okta-authorization-for-scim.md).
# Okta authorization for SCIM
Collibra supports only basic and bearer token authentication with JWT.
{% tabs %}
{% tab title="Basic authentication" %}
To set up basic authentication, you create a new SCIM application and authenticate with Collibra:
{% stepper %}
{% step %}
Sign in to your Okta Admin Console and go to **Applications** → **Browse App Catalog**.
{% endstep %}
{% step %}
Search for and select the **SCIM 2.0 Test App (Basic Auth)** application.
{% endstep %}
{% step %}
Click **Add Integration**.
{% endstep %}
{% step %}
Modify the application level.
{% endstep %}
{% step %}
Click **Next** to select the **Sign-On options**.
{% endstep %}
{% step %}
Select the required **Sign-On method**.
{% endstep %}
{% step %}
Click **Done** to create the application.\ :chevrons-right: Your newly created application appears in the list of **Applications**.
{% endstep %}
{% step %}
From the list of applications, select your new application → **Provisioning** → **Integration**.
{% endstep %}
{% step %}
Click **Configure API Integration** to enable the integration between Okta and Collibra SCIM.
{% endstep %}
{% step %}
Select the **Enable API integration** check box and enter the required information:
* **SCIM 2.0 Base Url**: The endpoint of the Collibra SCIM API, for example *https\://\/rest/scim/v2*.
* **Username**: The user name of a dedicated Collibra user for this integration.
* **Password**: The password of a dedicated Collibra user for this integration.
{% endstep %}
{% step %}
Click **Test API Credentials**.\ :chevrons-right: If your credentials are successfully verified, Okta displays a confirmation message.
{% endstep %}
{% step %}
Click **Save** to complete the process.
{% endstep %}
{% endstepper %}
{% endtab %}
{% tab title="JWT authentication" %}
## Obtain a client ID and secret
{% stepper %}
{% step %}
Sign in to your Okta Admin Console and go to **Applications** → **Create App Integration**.
{% endstep %}
{% step %}
In the **Create a new app integration dialog box**, select **API Services**.
{% endstep %}
{% step %}
Click **Next**.
{% endstep %}
{% step %}
In the **New API Services App Integration** section, enter the name of your integration.
{% endstep %}
{% step %}
Click **Save**.\ :chevrons-right: Your newly created application appears under **Applications** in Okta.
{% endstep %}
{% step %}
From the list of applications, open your new application.
{% endstep %}
{% step %}
Copy the **Client ID** and **Client Secret** for future use.
{% endstep %}
{% endstepper %}
## Obtain the **sub** and **aud** parameters
{% stepper %}
{% step %}
Sign in to your Okta Admin Console and go to **Security** → **API**.
{% endstep %}
{% step %}
Create a new scope:
1. In the **Authorization servers** section, select the **default** server → **Scopes**.
2. Click **Add Scope**.
3. In the **Add Scope** dialog box enter the required information.
4. Click **Save** and copy the scope name for future use.
{% endstep %}
{% step %}
Obtain the **jwks\_uri** and **issuer** parameters:
1. In the **Authorization servers** section, select the **default** server → **Settings**.
2. Click the **Metadata URI** link.
3. From the JSON response, copy the **jwks\_uri** and **issuer** values for future use.
{% endstep %}
{% step %}
Obtain an access token:
1. Send a POST request to the */v1/token* endpoint of the **issuer**, using your client ID, secret, and scope name:
```bash
curl --request POST \
--url \/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic \' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=\'
```
2. From the response, copy the access token.
{% endstep %}
{% step %}
Obtain the **sub** and **aud** parameters:
1. Decode the JWT with an application such as [JWT.io](https://jwt.io).
2. Copy the **sub** and **aud** parameters for future use.
{% endstep %}
{% endstepper %}
## Register the JWKS endpoint with Collibra
Follow the instructions to [Register the JWKS endpoint](https://productresources.collibra.com/docs/collibra/latest/Default.htm#cshid=DOC0773) with Collibra and use the following values:
| Collibra Console field | Value |
| ---------------------- | ------------------------------------------------------------------ |
| JSON Web Key Set URL | The **jwks\_uri** from the JSON response of the Metadata URI link. |
| JWT Issuer | The **issuer** from the JSON response of the Metadata URI link. |
| JWT Audience | The **aud** parameter from the decoded JWT. |
## Create a user in Collibra
Follow the instructions to [Create a user](https://productresources.collibra.com/docs/collibra/latest/Default.htm#cshid=DOC0655) in Collibra for your client application account:
| User details | Value |
| ------------ | ------------------------------------------------------------------------------------------------------------------ |
| Username | The **sub** parameter from the decoded JWT. |
| User groups | Assign the user to a group that has elevated permissions such as **Sysadmin** or one that has similar permissions. |
## Create a SCIM application
Create a new SCIM application and authenticate with Collibra:
{% stepper %}
{% step %}
Sign in to your Okta Admin Console and go to **Applications** → **Browse App Catalog**.
{% endstep %}
{% step %}
Search for and select the **SCIM 2.0 Test App (OAuth Bearer Token)** application.
{% endstep %}
{% step %}
Click **Add Integration**.
{% endstep %}
{% step %}
Modify the application level.
{% endstep %}
{% step %}
Click **Next** to select the **Sign-On options**.
{% endstep %}
{% step %}
Select the required **Sign-On method**.
{% endstep %}
{% step %}
Click **Done** to create the application.\ :chevrons-right: Your newly created application appears under **Applications** in Okta.
{% endstep %}
{% step %}
From the list of applications, select your new application → **Provisioning** → **Integration**.
{% endstep %}
{% step %}
Click **Configure API Integration** to enable the integration between Okta and CollibraSCIM.
{% endstep %}
{% step %}
Select the **Enable API integration** check box and enter the required information:
* **SCIM 2.0 Base Url**: The endpoint of the CollibraSCIM API, for example *https\://\/rest/scim/v2*.
* **OAuth Bearer Token**: Your JSON Web Token.
{% endstep %}
{% step %}
Click **Test API Credentials**.\ :chevrons-right: If your credentials are successfully verified, Okta displays a confirmation message.
{% endstep %}
{% step %}
Click **Save** to complete the process.
{% endstep %}
{% endstepper %}
{% endtab %}
{% endtabs %}
## Map SCIM app attributes
{% stepper %}
{% step %}
Sign in to your Okta Admin Console and select your application from the **Applications** list.
{% endstep %}
{% step %}
Select **Provisioning** → **To App**.
{% endstep %}
{% step %}
In the **Attribute Mappings** section, click **Go to Profile Editor**.
{% endstep %}
{% step %}
Click **Mappings** to select the **Sign-On options**.
{% endstep %}
{% step %}
In the **User Profile Mappings** dialog box, edit or add your desired mappings.
{% hint style="info" %}
Collibra supports a limited number of SCIM attributes.
{% endhint %}
| Attribute | Attribute Type | Value | Apply on |
| ------------------ | -------------- | ------------------------------------------------------------------ | ----------------- |
| Username | Personal | Configured in Sign On settings | |
| Given name | Personal | `user.firstName` | Create and update |
| Family name | Personal | `user.lastName` | Create and update |
| Email | Personal | `user.email` | Create and update |
| Primary email type | Personal | `(user.email !=null && user.email !='') ? 'work':''` | Create and update |
| Display name | Personal | `user.displayname` | Create and update |
| Title | Personal | `user.title` | Create and update |
| Department | Personal | `user.department` | Create and update |
| Profile Url | Personal | `user.profileUrl` | Create |
| Primary phone | Personal | `user.primaryPhone` | Create and update |
| Primary phone type | Personal | `(user.primaryPhone !=null && user.primaryPhone !='') ? 'work':''` | Create and update |
| Address type | Personal | `(user.addressType !=null && user.addressType !='') ? 'work':''` | Create and update |
| Street address | Personal | `user.streetAddress` | Create and update |
| Locality | Personal | `user.city` | Create and update |
| Region | Personal | `user.state` | Create and update |
| Postal Code | Personal | `user.zipCode` | Create |
| Country | Personal | `user.countryCode` | Create and update |
| Locale Name | Group | `user.locale` | Create and update |
| {% endstep %} | | | |
{% step %}
Click **Save Mappings**.
{% endstep %}
{% endstepper %}
{% hint style="info" %}
* You cannot assign roles to users via SCIM. However, you can manage groups and group membership in your IdP and disable the **Groups DGC managed** Console configuration option. Following the initial provisioning, your IdP groups are available in Collibra and you can start assigning roles to them.
* Okta internally transmits an `externalId` attribute to Collibra, which maps it automatically.
* Collibra users have a single email address and an additional list of email addresses. In contrast, SCIM uses a list of email addresses. If the SCIM list contains only one email address or one of the email addresses is marked as primary, that email address becomes the Collibra user email address. If the SCIM list contains multiple email addresses and none is marked as primary, the operation returns an error.
{% endhint %}
## Additional resources
* [Okta developer portal](https://developer.okta.com/)
* [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/)
* [Prepare your SCIM API service](https://developer.okta.com/docs/guides/scim-provisioning-integration-prepare/main/)
* [Okta and SCIM Version 2.0](https://developer.okta.com/docs/reference/scim/scim-20/)
* Okta [Users API](https://developer.okta.com/docs/reference/api/users/)
* Okta [Groups API](https://developer.okta.com/docs/reference/api/groups/)
* [Build a JWT for Client Authentication](https://developer.okta.com/docs/guides/build-self-signed-jwt/main/)
* [Collibra JSON Web Token authentication guide](https://developer.collibra.com/tutorials/rest-api-json-web-token/)
* [Collibra REST API authentication with JSON Web Token](https://developer.collibra.com/tutorials/rest-api-authentication-jwt/)
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://developer.collibra.com/api/guides/the-system-for-cross-domain-identity-management/okta-authorization-for-scim.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.