Synchronize User Data with Okta's User Provisioning Feature
Overview
This article introduces how to use Okta's User Provisioning feature to sync Okta users with Kintone.
The User Provisioning Feature
- User data and related services that are set up on Okta can be synced with Kintone.
For example, if a new user is added into Okta, a new user can be automatically added into Kintone. - The User Provisioning Feature can be used with the following actions:
- Adding a User
- Updating User Information
- Deactivating a User
- Editing a User's Services
- User data that can be synced are the following:
- Login name
- Display name
- Surname
- Given name
- Email address
- Status
- Users that are already added into Kintone can also use the Provisioning feature.
Required Environments
- SAML Authentication must be implemented before setting up User Provisioning.
- Refer to the following article to set up SSO with Okta
- Refer to the following article on the Kintone Help site for more information on how to configure SAML Authentication
- The following permissions are needed when using the Provisioning feature
- Kintone: Users & System Administrators
- Okta: One of the following Administrator permissions
- "Organization Administrator" and "Application Administrator"
- "Super Admin"
Limitations
- Departments, Job Titles and Groups (Roles) cannot be synced.
- If a user is deleted from Kintone after syncing, the user will not be recreated on Kintone after another sync. In order to recreate a user on Kintone, first disable "Propagate Provisioning" via the settings page once, then reactivate "Propagate Provisioning" before attempting to synchronize user data.
- The Login Name of synced users cannot be updated.
To update their Login Name, the user needs to be deleted from Kintone, before recreating the user on Okta, and resyncing the user data.
For other limitations, refer to the Kintone Help site .
Important Notes
- If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Okta. It is not recommended to place Okta's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.
Set Up
The set up flow to use Okta's provisioning feature is as follows:
-
STEP1:Configure Kintone settings
- Activate the User Provisioning feature, and generate an API Token.
- STEP2:Configure Okta settings
STEP1:Configure Kintone settings
- Access your Kintone environment. This should be in the format of https://{subdomain}.kintone.com/.
- Log in with a user with Users & System Administrators permissions.
- Click on Users & System Administrators
- Click on Provisioning.
- Click on Create API Token.
- Set up the Validity period and Enter notes for this API token fields, and click on Create.
- Note down the created API Token and SCIM Endpoint.
There is no way to recheck the value of the API token after closing the dialog.
- Click on Close.
- Set the Propagate Provisioning settings to Enabled.
STEP2:Configure Okta settings
1. Add the Kintone application
- Access your Okta environment. This should be in the format of https://{subdomain}.okta.com/.
- Log in with a user with Administrator permissions.
- Select the Applications section.
- Select the Applications sub-section and click the Browse App Catalog button.
- Use the search box to search for
Kintone
, and then select Kintone (kintone.com). - Click on the Add Integration button.
- Enter the required information, and then click the Done button.
- Application label: Enter a name for the application.
- Example:
Kintone
- Example:
- Domain Name: Enter Kintone's URL.
- Example:
https://SUBDOMAIN.kintone.com
- Example:
- Application label: Enter a name for the application.
2. Configure the API integration settings for Kintone
- Click on Provisioning.
- Click on Configure API integration.
- Set the following settings:
- Enable API integration: Check the checkbox
- API Token: Enter the API Token obtained in
STEP1
- Click on Test API Credentials.
Attention
If the test connection fails and error messages are displayed, refer to the Troubleshooting section.
Example error message:
Error authenticating: Forbidden. Errors reported by remote server: Invalid JSON: Unexpected character - If a successful message is displayed, click on Save.
- Navigate to Provisioning to App and click on Edit.
- Enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
- Click on Save.
3. Assign Users and Start the Provisioning
To sync per user
- Navigate to the Assignments tab.
- Click on Assign and select Assign to People.
- Navigate to the user that is to be synced, and click on Assign.
- Enter the Kintone login name for that user.
- The Setting initial values for Login Name section introduces what login name will be initially set for the user.
- Login names cannot be changed afterward. To change the login name, the user will need to be recreated on Okta and re-synced.
- Set the value of Kintone to Enable.
- Click on Save and Go Back.
- After finishing the settings for all users that will be synced, click on Done.
To sync per group
The Setting initial values for Login Name section introduces what login name will be initially set for users in groups. Login names cannot be changed afterward.
- Navigate to the Assignments tag.
- Click on Assign and select Assign to Groups.
- Navigate to the group that is to be synced, and click on Assign.
- Set the value of Kintone to Enable.
- Click on Save and Go Back.
- After finishing the settings for all groups that will be synced, click on Done.
Other Settings
Setting initial values for Login Name
- Navigate to the Sign On tab.
- Under Settings, click on Edit.
- Set up the initial value format for usernames in the Application username format settings.
- Custom: A custom format. For more details, refer to the Okta Expression Language overview article.
- Email: An Email address format.
- Email Prefix: A format that uses the identifier that comes before the @ symbol in the email address.
- Okta username: A format that uses the user name for the Okta service.
- Okta username prefix: A format that uses the identifier that comes before the @ symbol in the Okta user name.
- (None): Sets no initial values.
If None is selected and the sync is per group, the sync will fail due to log in names being unable to be set for users. After assigning users to groups, log in names must be set for each user.
- Click on Save.
Turning off the Provisioning feature
To turn off the provisioning feature, follow these steps.
- Navigate to the Provisioning tab and click on Integration.
- Click on Edit.
- Check off the Enable API Integration option.
- Click on Save.
Restarting the Provisioning feature
If any updates are made to users while the provisioning feature is turned off, sync them into Kintone by refering to the
Running Force Sync
article.
To restart the provisioning feature, follow these steps.
-
Navigate to the Provisioning tab and click on Integration.
-
Under Integration, click on Edit.
-
Check the Enable API Integration option.
-
Click on Save.
-
Select To App.
-
Under Provisioning to App, click on Edit.
-
Enable the following options:
- Create Users
- Update User Attributes
- Deactivate Users
-
Click on Save.
Running Force Sync
If any updates are made to users while the provisioning feature is turned off, sync them into Kintone using the Force Sync feature.
- Navigate to the Provisioning tab.
- Under Kintone Attribute Mappings, click on Force Sync.
Making Kintone users active and inactive
To make Kintone users inactive, either set the user on Okta to inactive, or unassign users with the following steps.
Unassigining users
- Navigate to the Assignments tab.
- Click on People.
- Navigate to the user that will be made inactive, and click on the ×.
- Click on the OK button in the confirmation dialog.
To make the user active again, reassign the user.
Unassigining groups
- Navigate to the Assignments tab.
- Click on Groups.
- Navigate to the group that will be made inactive, and click on the ×.
- Click on the OK button of the confirmation dialog.
To make the users in the group active again, reassign the group by referring to the following section, by referring to the following section:
Troubleshooting
If the "Error authenticating: Forbidden. Errors reported by remote server: Invalid JSON: Unexpected character" is displayed
This may be due to IP address restrictions set up on Kintone.
If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Okta. It is not recommended to place Okta's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.
Note
The contents of this article was checked with the 2023 March version of Kintone.