Configuring Provisioning with Okta

This guide provides information on how to configure the provisioning of users and groups between Mursion and Okta using the SCIM protocol.

Supported Features

The following provisioning features are supported by Mursion at present:

• Push Users: Users in Okta that are assigned to the Mursion application in Okta are automatically added as users in Mursion. 
• Push Profile Updates: A user’s Mursion profile attributes are automatically updated when changes are made to the corresponding Okta user profile attributes. 
• Push User Deactivation: A user’s Mursion account is archived when the user is unassigned from the Mursion application in Okta or the user’s Okta account is deactivated. Archiving a Mursion user prevents the user from signing in but maintains the user’s Mursion account.
• Reactivate Users: A user’s Mursion account is restored when the user is assigned to the Mursion application.  
• Push Groups: Okta groups and their members are pushed to Mursion as Mursion teams and users.

Requirements

• Mursion application in your Okta organization configured for SAML 2.0 SSO. See Configuring SAML 2.0 with Okta for information on how to configure the Mursion application for SAML 2.0 in Okta.
• A SCIM Authorization Token is required to configure provisioning. If you have not received a SCIM Authorization Token from Mursion please email integrations@mursion.com to request an authorization token.

Step-­by-­Step Configuration Instructions

1. In Okta, select the Mursion application that has been configured for SAML 2.0.
2. From the application, click the Provisioning tab and then click Configure API integration
   
   
   
3. Check Enable API integration. 
4. Enter the appropriate Base URL for the Mursion environment and enter the API Token provided by Mursion.
   
   

   Environment	Base URL
   Staging	https://staging-portal.mursion.com/api/scim/v2
   Production	https://portal.mursion.com/api/scim/v2

   
   
5. Click Test API Credentials. A success message should appear. Click Save to save the settings.
   
   
   
   
6. Select To App in the left panel and click Edit.
7. Check Enable for the Create Users, Update User Attributes, and Deactivate Users options. Click Save to save the settings.
   
   
8. In the Attribute Mappings section, 
   1. edit the Preferred language attribute and select Create for Apply on. Click Save to save changes.
   2. edit the Time zone attributes and select Create for Apply on. Click Save to save changes.
      
9. Click the Sign On tab and click Edit.
10. In the Credentials Details section, make sure that Application username format is set to Email.

Assign Users to the Mursion application in Okta

1. Click the Assignments tab.
2. Select Assign then select either Assign to People or Assign to Groups. Click Assign from the list that appears to assign users or groups. See Manage app integration assignments for more information.
   
3. Verify that users have been synced to Mursion. Check either the application’s Okta logs or check the Users tab in Mursion.

Push Groups

1. Click the Push Groups tab.
2. Select Push Groups and select either Find groups by name or Find groups by rule. See Manage Group Push for more information on Group Push.
   
3. Verify that the groups and memberships have been pushed to Mursion. Okta groups are pushed to Mursion as teams. Check the application’s Okta logs or check the Teams tab in Mursion.

Unlink Pushed Group

1. Click the Push Groups tab.
2. Locate the group to unlink and click the Active button under Push Status.
3. Select Unlink pushed group.
4. Select one of the What do you want to do with this group? options:
   1. The Mursion team is not deleted but the team is archived which removes all users from the team in Mursion. 
   2. Groups unlinked using this option cannot be pushed to Mursion again unless the corresponding Mursion team is restored first (see Troubleshooting and Tips section). 
   1. The Mursion team is not archived and unlinking does not change existing Mursion team memberships.
1. Delete the group in the target app (recommended) - Select this option to stop the pushing of this group’s memberships and archive the corresponding team in Mursion. 
2. Leave the group in the target app - Select this option to stop the pushing of this group’s memberships. 
5. Click the Unlink button.

Troubleshooting and Tips

• Preferred language and Time zone profile attributes can be synced to Mursion; however, 
  • Blank values for these fields cannot be synced to Mursion when updating a user’s attributes. By default, these attributes will only be synced on create.
  • These fields are only visible by the user themselves on their profile. The language and time zone fields are not visible to administrator users when viewing a user profile in Mursion. 
• Preferred language must be specified using a two letter ISO 639-1 language code (e.g. de) or a two letter ISO 630-1 language code combined with a two letter ISO 3166 country code (e.g. en-US). 
• Time zone must be specified as the IANA Time Zone database format (e.g. America/New_York)
• Groups unlinked using the Delete the group in the target app option cannot be pushed to Mursion again unless the corresponding Mursion team is restored. To re-push an unlinked group that corresponds to an archived Mursion team:
  • In Mursion, restore the team
    • Click the Teams sub-tab
    • Click the Archived filter
    • Click the archived team name
    • Click the restore icon and confirm that the team should be restored

• • In Okta under the Push Groups tab, click the Refresh App Groups button to retrieve the current list of Mursion teams
  • Once the import of groups completes, push the group by name
    • Start entering the name of the Mursion team that was restored
    • Select the group name
    • Under Match result & push action, the Link Group option should be automatically selected and will not be able to be changed
    • Click the Save button to push the group

Please reach out to our team at integrations@mursion.com if you have any questions or run into any issues.