SCIM (System for Cross-domain Identity Management) allows Okta to automatically provision and manage users in AskNicely.
Follow this step-by-step guide to configure SCIM for your organization.
Before you begin, ensure you have the following:
- Administrator access to your AskNicely account.
- Administrator access to your Okta organization.
After completing these steps, you should be able to:
- Provisioned users automatically, but roles assigned manually within AskNicely
- Provisioned users automatically with location-based data access
Prerequisites
- Admin access to your Okta organization.
- SCIM-enabled AskNicely account.
- Completed SAML configuration between Okta and AskNicely.
Step 1: Enable SCIM in AskNicely
- Log in to AskNicely as an administrator.
- Navigate to the Users menu.
- Go to the SCIM settings. https://<YOUR-TENANT-NAME>.asknicely.site/scim/settings
- Copy the SCIM Base URL and Token. You will use these in Okta.
Step 2: Configure SCIM in Okta
- Log in to Okta as an administrator.
- Navigate to Applications > Applications.
- Click Browse App Catalog and in search box, look for “SCIM” and choose the application named SCIM 2.0 Test App (Header Auth)
- Once chosen, click a button called “Add Integration”
- Default settings should be fine (but you can customise depending on your company requirement), just click next until it gets installed
- Go to the Provisioning tab and click Configure API Integration.
- Check the box for Enable API Integration.
- Enter the SCIM Base URL and Token copied from AskNicely. ( Step 1.4 above )
- Click Test API Credentials to ensure connectivity.
- Once successful, click Save.
- Under the Provisioning to App section, enable the following as needed:
- Create Users
- Update User Attributes
- Deactivate Users
Step 3: Configure User Provisioning Scenarios
Scenario 1: Users Provisioned Automatically, Roles Set Manually in AskNicely
-
Manage Users in AskNicely.
Add users manually in AskNicely configuration page via **
Settings** > **Users**
. Assign roles, permissions, and data access manually here. -
User Login
When users attempt to log in via Okta/Google with the same email as the email assigned when the user is created, SSO will grant them access.
Result
- No automated user creation.
- Roles and data access must be configured directly in AskNicely.
Scenario 2: Users Provisioned Automatically with Location-Based Data Access
For organizations where user roles and location-based data access must be determined automatically, you can use advanced attribute mappings from Okta to pass role and location information directly to AskNicely.
Prerequisites
- Confirm with AskNicely Support that your plan supports SCIM or advanced JIT provisioning with role and location attributes.
- Determine which Okta attributes (e.g.,
department
,location
,groups
, or custom attributes) will map to AskNicely roles and locations. - You may need a predefined mapping schema from AskNicely (e.g.,
askNicelyGroup
andaskNicelyFilter_key
attribute names) to ensure these values can be interpreted correctly.
Steps
-
Configure Attribute Mappings in Okta
- Go to
Directory > Profile Editor > SCIM 2.0 Test App (Header Auth) User
b. Create three new attributes:
-
askNicelyGroup
Data type:
string
Display name:
AskNicely Group
(or any name that makes sense to you).Variable name:
askNicelyGroup
External name:
askNicelyGroup
External namespace:
urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User
Description:
User Role in AskNicely
(or whatever makes sense to you).Attribute type:
Group
-
askNicelyFilter_key
Data type:
string
Display name:
AskNicely Filter Name
(or any name that makes sense to you).Variable name:
askNicelyFilter_key
(note the.
)External name:
askNicelyFilter.key
(note the_
)External namespace:
urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User
Description:
Name of custom data field (for the user locked filter) in AskNicely
(or whatever makes sense to you).Attribute type:
Group
-
askNicelyFilter_value
Data type:
string
Display name:
AskNicely Filter Value
(or any name that makes sense to you).Variable name:
askNicelyFilter_value
(note the.
)External name:
askNicelyFilter.value
(note the_
)External namespace:
urn:ietf:params:scim:schemas:extension:askNicelyFilter:2.0:User
Description:
Value of custom data field (for the user locked filter (what can this user see in AskNicely?)
(or whatever makes sense to you).Attribute type:
Personal
- Go to
-
You should now see those three new fields in the list of fields for this app.
-
Update the mapping [App → Provisioning → To App → Attribute Mappings]
-
askNicelyFilter_value
should map to the profile field containing the locked value for this user -
askNicelyFilter_value
andaskNicelyGroup
should be “Same value for all user” and set to a simple dot.
- this will be overwritten in the Group assignment during the next step.
-
-
When assigning Groups to this app, make sure you enter the values as group level values.
Result
- Users are created automatically on first login.
- Roles and location-based access are automatically assigned according to attributes passed from Okta, reducing manual administration.
By completing these steps, you will have a fully integrated SCIM and SAML solution for managing user access and data permissions in AskNicely through Okta.