SCIM: Provisioning and Deprovisioning Kisi Organization Members with Okta

This content is being deprecated.
Please see our new Kisi Docs portal at docs.kisi.io
Relevant section: Enable SCIM on Okta

SSO and SCIM require a Kisi Organization license. Please contact Kisi Support to learn more.

Kisi Organizations can configure Okta to enable System for Cross-domain Identity Management (SCIM) provisioning and deprovisioning for their Kisi members. Before you start, please check that you have set up SSO for your Organization, generated a SCIM token, enabled SCIM for your Organization and added the Kisi Physical Security app in Okta.

SCIM with Okta allow you to:

• Create Users
• Update User Attributes (via PUT and PATCH)
• Deprovision Users
• Push Groups

Generating SCIM Token in Kisi

To generate your SCIM Token in Kisi:

1. Sign in to your Kisi Organization account
2. Under Organization Setup, click on SSO & SCIM
   
3. Toggle On Enable SCIM and click on Generate Token
   
4. Copy the Token (this Token is only shown once)
   

Setting up SCIM with Okta

To configure SCIM with Okta for your Kisi Organization:

1. Sign in to Okta and ensure you are using the classic UI interface (top-left corner)
2. Click the Admin button, Applications in the main navigation, and select your Kisi Physical Security app from the list.
   
3. Navigate to the Provisioning tab, click Configure API Integration
   
4. Click on the Enable API Integration checkbox and enter your SCIM token (without the leading Bearer if present)
   
5. Click Test API Credentials
   
   
6. Ensure a success message is displayed ('Kisi Physical Security was verified successfully!') above the Enable API Integration checkbox and click Save
   
7. Click Edit and enable Create Users, Update User Attributes and Deactivate Users options in Provisioning > To App and Save
   
   
8. Assign users to SCIM group, under Push Groups. 

Push Okta Groups to Kisi

To push Okta groups to Kisi:

1. Navigate to Push Groups
2. Click on + Push Groups and select Find Groups by name
   
3. Search for the Okta group
   
4. Under Match result & push action choose to either Create Group or Link Group
   

Good to know before setting up SCIM 

• Events related to SCIM provisioning and deprovisioning are not currently tracked in Kisi.
• It is not possible to import users from Kisi to Okta.
• SCIM operates only on the users and the groups that have been provisioned from Okta, i.e. only performs create, update, and remove actions. It means that if you add a user to a SCIM-created group via Kisi interface, the user won't be removed from the group with the next SCIM sync, automatic or manual - Okta wouldn't "know" about this user's existence in this group.
• If a user assigned to Kisi in Okta already exists in Kisi, they will be linked with the existing user and the attributes of this user will be updated with the attributes set in Okta. If this user will ever be unassigned from the app, (s)he will be deleted even if there are active manually created group memberships present.
• Users deactivated in Okta will have "access suspended'' flag set on their account. They will not be able to unlock any doors, even those that are shared with them, until the flag is not removed by re-activating the user in Okta. The flag can also be manually removed in Kisi, but we recommend to keep one source of truth to avoid any possible confusion.
• Users suspended in Okta stay active in Kisi - not supported by SCIM protocol.
• To remove a user from Kisi, deassign this user from the SCIM app in Okta, either individually or remove from the group that was used for assignment.
• Removing the user from the pushed groups will remove respective group memberships, but will keep the user in the users list, even if the user has no active group memberships.
• If you remove a SCIM-created user from Kisi or from a SCIM-created group, this user will be re-added after manual push of a group this user belongs to. 
• To remove a synced group from Kisi, go to the "Push groups" tab, choose the group and unlink it with deleting it in the target app.
• Some push group functionality, e.g. bulk edit and rule edit push groups doesn't work yet. 
• If a team (group) is removed from Kisi but SCIM would still be assigned to it in Okta, you will see an error in the Okta logs and in the Push Groups tab in the SCIM application section. If the group was accidentally removed from Kisi and you want to make sure it syncs again, unlink the group while keeping it in the target app:
  
  Then click on "Push groups" and choose this group. A new team will be created in Kisi. You will need to add doors to this group again.
  
  
• If you want to sync a push group with an existing group in Kisi, go to the Push groups section in the SCIM app first, click on “Refresh App Groups” to get the most up-to-date list of groups in Kisi

Then click on "Push groups", choose the group you want to push, and opt to link the group to one of the Kisi groups, you will see a drop-down list with Kisi groups.