Okta authorization for SCIM

To set up basic authentication, you create a new SCIM application and authenticate with Collibra:

1. Sign in to your Okta Admin Console and go to Applications → Browse App Catalog.
2. Search for and select the SCIM 2.0 Test App (Basic Auth) application.
3. Click Add Integration.
4. Modify the application level.
5. Click Next to select the Sign-On options.
6. Select the required Sign-On method.
7. Click Done to create the application.

   Your newly created application appears in the list of Applications.

8. From the list of applications, select your new application → Provisioning → Integration.
9. Click Configure API Integration to enable the integration between Okta and Collibra SCIM.
10. Select the Enable API integration check box and enter the required information:
    • SCIM 2.0 Base Url: The endpoint of the Collibra SCIM API, for example https://<your_collibra_url>/rest/scim/v2.
    • Username: The user name of a dedicated Collibra user for this integration.
    • Password: The password of a dedicated Collibra user for this integration.
11. Click Test API Credentials.

    If your credentials are successfully verified, Okta displays a confirmation message.

12. Click Save to complete the process.

The following table summarizes acquiring and using JWT in Collibra REST API requests.

Process	Steps
Initial setup	Create a client credential account with a secret in your IdP. Determine the JSON Web Key Set (JWKS) endpoint URL for your IdP. Register the JWKS endpoint with Collibra. Create a user in Collibra for your client application account. Provide a meaningful first and last name to identify that this is a service account.
When your application starts	Authenticate your client application with your IdP. Save the returned access token for use in REST API calls.
When your application calls the Collibra REST APIs	Include the JWT token in the authorization HTTP header as a bearer token. If the API call responds with unauthorized, the access token or JWKS credentials may have expired. Re-authenticate and retry the request.

Obtain a client ID and secret

1. Sign in to your Okta Admin Console and go to Applications → Create App Integration.
2. In the Create a new app integration dialog box, select API Services.
3. Click Next.
4. In the New API Services App Integration section, enter the name of your integration.
5. Click Save.

   Your newly created application appears under Applications in Okta.

6. From the list of applications, open your new application.
7. Copy the Client ID and Client Secret for future use.

Obtain the sub and aud parameters

1. Sign in to your Okta Admin Console and go to Security → API.
2. Create a new scope:
   1. In the Authorization servers section, select the default server → Scopes.
   2. Click Add Scope.
   3. In the Add Scope dialog box enter the required information.
   4. Click Save and copy the scope name for future use.
3. Obtain the jwks_uri and issuer parameters:
   1. In the Authorization servers section, select the default server → Settings.
   2. Click the Metadata URI link.
   3. From the JSON response, copy the jwks_uri and issuer values for future use.
4. Obtain an access token:
   1. Send a POST request to the /v1/token endpoint of the issuer, using your client ID, secret, and scope name:

      curl --request POST \
        --url <issuer>/v1/token \
        --header 'accept: application/json' \
        --header 'authorization: Basic <base64_encoded(client_id;client_secret)>' \
        --header 'cache-control: no-cache' \
        --header 'content-type: application/x-www-form-urlencoded' \
        --data 'grant_type=client_credentials&scope=<scope_name>'

   2. From the response, copy the access token.
5. Obtain the sub and aud parameters:
   1. Decode the JWT with an application such as JWT.io.
   2. Copy the sub and aud parameters for future use.

Register the JWKS endpoint with Collibra

Follow the instructions to Register the JWKS endpoint with Collibra and use the following values:

Collibra Console field	Value
JSON Web Key Set URL	The jwks_uri from the JSON response of the Metadata URI link.
JWT Issuer	The issuer from the JSON response of the Metadata URI link.
JWT Audience	The aud parameter from the decoded JWT.

Create a user in Collibra

Follow the instructions to Create a user in Collibra for your client application account:

User details	Value
Username	The sub parameter from the decoded JWT.
User groups	Assign the user to a group that has elevated permissions such as Sysadmin or one that has similar permissions.

Create a SCIM application

Create a new SCIM application and authenticate with Collibra:

1. Sign in to your Okta Admin Console and go to Applications → Browse App Catalog.
2. Search for and select the SCIM 2.0 Test App (OAuth Bearer Token) application.
3. Click Add Integration.
4. Modify the application level.
5. Click Next to select the Sign-On options.
6. Select the required Sign-On method.
7. Click Done to create the application.

   Your newly created application appears under Applications in Okta.

8. From the list of applications, select your new application → Provisioning → Integration.
9. Click Configure API Integration to enable the integration between Okta and CollibraSCIM.
10. Select the Enable API integration check box and enter the required information:
    • SCIM 2.0 Base Url: The endpoint of the CollibraSCIM API, for example https://<your_collibra_url>/rest/scim/v2.
    • OAuth Bearer Token: Your JSON Web Token.
11. Click Test API Credentials.

    If your credentials are successfully verified, Okta displays a confirmation message.

12. Click Save to complete the process.