Okta SCIM Provisioning

Overview

Okta SCIM provisioning lets Okta push user lifecycle events into Argus in real time. When someone is assigned or unassigned in Okta, their Argus access is created, updated, or revoked automatically, without admin tickets.

Prerequisites

• Argus Enterprise plan (SCIM is an Enterprise feature)
• Okta super admin role
• Okta Lifecycle Management (Provisioning) add-on enabled in your Okta org

Step-by-Step Setup

Step 1: Create the SCIM provider in Argus

• Argus > Enterprise > Directory Sync > Add Directory Provider
• Provider Name: 'Okta Production' or similar
• Provider Type: Okta
• Argus displays the SCIM base URL and a one-time bearer token; keep both open for Step 2

Step 2: Create an Argus SAML + SCIM app in Okta

Okta ties provisioning to the SAML app; create the app first if you have not already.

• In Okta > Applications > Browse App Catalog, search 'Cremit Argus' and add it (or use the generic SAML + SCIM template if listed)
• Configure the SAML tab per the SAML SSO guide
• Switch to the Provisioning tab and click Configure API Integration

Step 3: Configure the SCIM integration in Okta

• Base URL: paste the SCIM base URL from Argus
• API Token: paste the one-time bearer token from Argus
• Click Test API Credentials; expect 'verified successfully'
• Enable API integration, then enable the following under To App: Create Users, Update User Attributes, Deactivate Users

Step 4: Assign users or groups to the app

Provisioning events only fire for assigned identities.

• Assign individuals directly, or push Okta groups to Argus
• Required attributes: email, displayName, active
• Optional: department, title, manager for richer context in Argus

Verification

To confirm the integration is configured correctly:

• Newly assigned Okta users appear in Argus within 1 minute
• Deactivating a user in Okta revokes their Argus session and API tokens immediately
• Group memberships in Okta reflect in the Argus team view
• No 'missing required attribute' errors in Okta's provisioning logs

Troubleshooting

Issue: Test API Credentials fails with 401.

• Solution: The bearer token is one-time and must be copied at the moment Argus displays it. If lost, regenerate from the Argus provider settings.

Issue: Users are created but not deprovisioned.

• Solution: Deactivate Users must be enabled under To App provisioning actions. Also confirm the user is unassigned or Okta-suspended, not just removed from a group.

Key Benefits

• Real-time deprovisioning closes a major window attackers love to exploit
• No more 'access revoked 2 weeks after offboarding' tickets
• Group-based assignment scales as your org grows
• Full audit trail: Okta logs every lifecycle event, Argus logs every access change