Synchronize User Data with Okta's User Provisioning Feature

Contents

Overview

This article introduces how to use Okta's User Provisioning feature to sync Okta users with Kintone.

The User Provisioning Feature

  • User data and related services that are set up on Okta can be synced with Kintone.
    For example, if a new user is added into Okta, a new user can be automatically added into Kintone.
  • The User Provisioning Feature can be used with the following actions:
  • User data that can be synced are the following:
    • Login name
    • Display name
    • Surname
    • Given name
    • Email address
    • Status
  • Users that are already added into Kintone can also use the Provisioning feature.

Required Environments

  • SAML Authentication must be implemented before setting up User Provisioning.
    • Refer to the following article to set up SSO with Okta
    • Refer to the following article on the Kintone Help site for more information on how to configure SAML Authentication
  • The following permissions are needed when using the Provisioning feature
    • Kintone: Users & System Administrators (External link)
    • Okta: One of the following Administrator permissions
      • "Organization Administrator" and "Application Administrator"
      • "Super Admin"

Limitations

  • Departments, Job Titles and Groups (Roles) cannot be synced.
  • If a user is deleted from Kintone after syncing, the user will not be recreated on Kintone after another sync. In order to recreate a user on Kintone, first disable "Propagate Provisioning" via the settings page once, then reactivate "Propagate Provisioning" before attempting to synchronize user data.
  • The Login Name of synced users cannot be updated.
    To update their Login Name, the user needs to be deleted from Kintone, before recreating the user on Okta, and resyncing the user data.

For other limitations, refer to the Kintone Help site (External link).

Important Notes

  • If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Okta. It is not recommended to place Okta's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.

Set Up

The set up flow to use Okta's provisioning feature is as follows:

STEP1:Configure Kintone settings

  1. Access your Kintone environment. This should be in the format of https://{subdomain}.kintone.com/.
  2. Log in with a user with Users & System Administrators permissions.
  3. Click on Users & System Administrators
  4. Click on Provisioning.

    Screenshot: The Provisioning link in the Administration menu.

  5. Click on Create API Token.

    Screenshot: The Create API Token button.

  6. Set up the Validity period and Enter notes for this API token fields, and click on Create.

    Screenshot: Setting up the details of the API Token.

  7. Note down the created API Token and SCIM Endpoint. There is no way to recheck the value of the API token after closing the dialog.

    Screenshot: The generated API Token and SCIM endpoint.

  8. Click on Close.
  9. Set the Propagate Provisioning settings to Enabled.

    Screenshot: The Propagate Provisioning settings.

STEP2:Configure Okta settings

1. Add the Kintone application
  1. Access your Okta environment. This should be in the format of https://{subdomain}.okta.com/.
  2. Log in with a user with Administrator permissions.
  3. Select the Applications section.

    Screenshot: The Applications section

  4. Select the Applications sub-section and click the Browse App Catalog button.

    Screenshot: The Browse App Catalog button

  5. Use the search box to search for Kintone, and then select Kintone (kintone.com).

    Screenshot: The Browse App Integration Catalog page displaying the Kintone integration in the Search Box

  6. Click on the Add Integration button.

    Screenshot: The Add integration button displayed for the Kintone integration

  7. Enter the required information, and then click the Done button.
    • Application label: Enter a name for the application.
      • Example: Kintone
    • Domain Name: Enter Kintone's URL.
      • Example: https://SUBDOMAIN.kintone.com

        Screenshot: Setting the required information for the Kintone integration

2. Configure the API integration settings for Kintone
  1. Click on Provisioning.

    Screenshot: The Provisioning settings

  2. Click on Configure API integration.

    Screenshot: The Configure API Integration button

  3. Set the following settings:
    • Enable API integration: Check the checkbox
    • API Token: Enter the API Token obtained in STEP1

      Screenshot: The Enable API integration checkbox

  4. Click on Test API Credentials.
    caution
    Attention

    If the test connection fails and error messages are displayed, refer to the Troubleshooting section.
    Example error message:
    Error authenticating: Forbidden. Errors reported by remote server: Invalid JSON: Unexpected character

    Screenshot: The Test API credentials button

  5. If a successful message is displayed, click on Save.

    Screenshot: A message displayed stating that the Kintone integration was verified successfully

  6. Navigate to Provisioning to App and click on Edit.

    Screenshot: The Edit button in the Provisioning to App settings

  7. Enable the following options:
    • Create Users
    • Update User Attributes
    • Deactivate Users

      Screenshot: Enabling the options within the Provisioning to App settings

  8. Click on Save.

    Screenshot: The Save button in the provisioning settings

3. Assign Users and Start the Provisioning
To sync per user
  1. Navigate to the Assignments tab.

    Screenshot: The Assignments tab

  2. Click on Assign and select Assign to People.

    Screenshot: The Assign to People option displayed when clicking on the Assign button

  3. Navigate to the user that is to be synced, and click on Assign.

    Screenshot: The Assign button for the user to be synced

  4. Enter the Kintone login name for that user.
    • The Setting initial values for Login Name section introduces what login name will be initially set for the user.
    • Login names cannot be changed afterward. To change the login name, the user will need to be recreated on Okta and re-synced.

      Screenshot: The User settings window for assigning Kintone

  5. Set the value of Kintone to Enable.

    Screenshot: Enabling Kintone in the User settings window

  6. Click on Save and Go Back.

    Screenshot: Saving the settings in the User settings window

  7. After finishing the settings for all users that will be synced, click on Done.

    Screenshot: The Done button to save the user settings

To sync per group

The Setting initial values for Login Name section introduces what login name will be initially set for users in groups. Login names cannot be changed afterward.

  1. Navigate to the Assignments tag.

    Screenshot: The Assignments tab

  2. Click on Assign and select Assign to Groups.

    Screenshot: The Assign to Groups option displayed when clicking on the Assign button

  3. Navigate to the group that is to be synced, and click on Assign.

    Screenshot: The Assign button for the group to be synced

  4. Set the value of Kintone to Enable.

    Screenshot: Enabling Kintone in the Group settings window

  5. Click on Save and Go Back.

    Screenshot: Saving the settings in the Group settings window

  6. After finishing the settings for all groups that will be synced, click on Done.

    Screenshot: The Done button to save the group settings

Other Settings

Setting initial values for Login Name

  1. Navigate to the Sign On tab.

    Screenshot: The Sign On tab

  2. Under Settings, click on Edit.

    Screenshot: The Edit button on the Sign On settings

  3. Set up the initial value format for usernames in the Application username format settings.

    Screenshot: Setting up the initial value format for the Application username format in the Credentials Details window

    The following options can be set.
    • Custom: A custom format. For more details, refer to the Okta Expression Language overview (External link) article.
    • Email: An Email address format.
    • Email Prefix: A format that uses the identifier that comes before the @ symbol in the email address.
    • Okta username: A format that uses the user name for the Okta service.
    • Okta username prefix: A format that uses the identifier that comes before the @ symbol in the Okta user name.
    • (None): Sets no initial values.
      If None is selected and the sync is per group, the sync will fail due to log in names being unable to be set for users. After assigning users to groups, log in names must be set for each user.
  4. Click on Save.

    Screenshot: The save button on the Credentials Details window

Turning off the Provisioning feature

To turn off the provisioning feature, follow these steps.

  1. Navigate to the Provisioning tab and click on Integration.

    Screenshot: The provisioning tab

  2. Click on Edit.

    Screenshot: The Edit button on the Integration settings

  3. Check off the Enable API Integration option.

    Screenshot: Checking off the Enable API Integration option in the Integration settings

  4. Click on Save.

    Screenshot: The Save button in the Integration settings

Restarting the Provisioning feature

If any updates are made to users while the provisioning feature is turned off, sync them into Kintone by refering to the Running Force Sync article.
To restart the provisioning feature, follow these steps.

  1. Navigate to the Provisioning tab and click on Integration.

    Screenshot: The provisioning tab and the Integration subsection

  2. Under Integration, click on Edit.

    Screenshot: The Edit button on the Integration settings

  3. Check the Enable API Integration option.

    Screenshot: Checking the Enable API Integration option in the Integration settings

  4. Click on Save.

    Screenshot: The Save button in the Integration settings

  5. Select To App.

    Screenshot: The To App subsection in the Provisioning tab

  6. Under Provisioning to App, click on Edit.

    Screenshot: The Edit button in the Provisioning to App settings

  7. Enable the following options:

    • Create Users
    • Update User Attributes
    • Deactivate Users

      Screenshot: Enabling the options within the Provisioning to App settings

  8. Click on Save.

    Screenshot: The Save button in the Provisioning to App settings

Running Force Sync

If any updates are made to users while the provisioning feature is turned off, sync them into Kintone using the Force Sync feature.

  1. Navigate to the Provisioning tab.

    Screenshot: The Provisioning tab

  2. Under Kintone Attribute Mappings, click on Force Sync.

    Screenshot: The Force Sync button

Making Kintone users active and inactive

To make Kintone users inactive, either set the user on Okta to inactive, or unassign users with the following steps.

Unassigining users
  1. Navigate to the Assignments tab.

    Screenshot: The Assignments tab

  2. Click on People.

    Screenshot: Clicking the People filter in the Assignments tab

  3. Navigate to the user that will be made inactive, and click on the ×.

    Screenshot: The × button to inactivate the User

  4. Click on the OK button in the confirmation dialog.

    Screenshot: The OK button in the Unassign User confirmation window

To make the user active again, reassign the user.

Unassigining groups
  1. Navigate to the Assignments tab.

    Screenshot: The Assignments tab

  2. Click on Groups.

    Screenshot: Clicking the Groups filter in the Assignments tab

  3. Navigate to the group that will be made inactive, and click on the ×.

    Screenshot: The × button to inactivate the Group

  4. Click on the OK button of the confirmation dialog.

    Screenshot: The OK button in the Unassign Group confirmation window

To make the users in the group active again, reassign the group by referring to the following section, by referring to the following section:

Troubleshooting

If the "Error authenticating: Forbidden. Errors reported by remote server: Invalid JSON: Unexpected character" is displayed

Screenshot: The error message displayed for the integration

This may be due to IP address restrictions set up on Kintone.

If there is a need to restrict access to Kintone via IP addresses, consider setting up the restrictions on Okta. It is not recommended to place Okta's IP addresses on the Kintone settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.

tips
Note

The contents of this article was checked with the 2023 March version of Kintone.