How to Configure SCIM for admins

Contents

Prerequisites
Supported Feature
Configuration Steps
Notes
Known Issues

Prerequisites

Prepare an administrator account for RICOH Smart Integration.

Supported Features

The Okta SCIM integration currently supports the following features:

Create users
Users in Okta that are assigned to the RICOH Smart Integration application within Okta are automatically added as users in RICOH Smart Integration.
Update user attributes
When user attributes are updated in Okta, they will be updated in RICOH Smart Integration.
Deactivate users
When users are deactivated in Okta, they will be disabled or deleted within RICOH Smart Integration – which prevents the user from logging into RICOH Smart Integration.
Group push
Groups and their users in Okta can be pushed to RICOH Smart Integration.

For more information on the feature, visit the Okta Glossary.

Configuration Steps

1. Configuring SAML integration settings

SAML integration settings are required for auto-synchronized user logins. Follow the steps in How to Configure SAML for admins.

2. Configuring the Provisioning

Open the "Sign on" tab, and click [Edit].

Set "Credentials Details" > [Application username format] to [Email] and [Update application username on] to [Create and Update].

Click [Save].

Open the "Provisioning" tab, and click [Configure API Integration].

Check [Enable API Integration].

Go to "Admin Top Page" > "User Management".

Click menu (menu button) > "Synchronize IDs" > "Okta Automatic Synchronization".

Copy [Endpoint (Base URL)].

Click [Issuance] and copy [Access Token (API Token)].

Paste [Endpoint (Base URL)] and [Access Token (API Token)].

Click [Test API Credentials] to test the connection.

Click [Save].

Open the "Provisioning" tab, and click [To App] and [Edit].

Check each box for supported provisioning actions:

Create users
Update user attributes
Deactivate users

Click [Save].

3. Supplemental Procedures: Adding Department and Office Location to the attributes to be Synchronized.

This setting is optional. If you want to synchronize the department attribute of an Okta user to the department of a RICOH Smart Integration user, find [department] in the unmapped attributes and click the Edit button.

Select [Map from Okta Profile] and [department | string] for [Attribute value], select [Create and update] for [Apply on], and click [Save].

This setting is optional. If you want to synchronize the postalAddress attribute of an Okta user to the office location attribute of a RICOH Smart Integration user, find [formatted] in the unmapped attributes and click the Edit button.

Select [Map from Okta Profile] and [postalAddress | string] for [Attribute value], select [Create and update] for [Apply on], and click [Save].

If you want to synchronize to the user's office location, furthermore, find [addressType] in the unmapped attributes and click the Edit button.

Select [Same value for all users] and input [work] for [Attribute value], select [Create and update] for [Apply on], and click [Save].

When both are set, the following is displayed.

4. Supplemental Procedures: Adding arbitrary attributes to the attributes to be synchronized.

This setting is optional. If you want to synchronize other Okta attributes, follow the steps below to synchronize the attribute in User attributes that can be added to RICOH Smart Integration user optional information 1-15.

Select one of the unmapped attributes [extensionAttribute1] to [extensionAttribute15] and click the Edit button.

Select [Map from Okta Profile] and select the attribute from User attributes that can be added for [Attribute value], select [Create and update] for [Apply on], and click [Save].

The following is displayed.

5. Synchronizing Users

Open the "Assignments" tab, and click [Assign].

Click [Assign] for each user that you want to synchronize or for each group containing a user that you want to synchronize, and then click [Done].

6. Supplemental Procedures: Synchronizing users who are not synchronized

Use these steps to configure users who are added to the application but who are not configured to be automatically synchronized. The steps are needed, for example, when users are already added before configuring provisioning.

Open the "Assignments" tab, and click [Provision User].

Click [OK].

7. Synchronizing Groups

To synchronize groups, follow these steps.

Open the "Push Groups" tab, and click [Push Groups] and [Find groups by name].

Enter the name of the group you want to synchronize in the "Enter a group to push..." field, set the group you want to synchronize, and click [Save].

Set up a group that satisfies the following:
- Groups where all users in the group have been added to the application by Synchronizing Users.
- A different group than the one used in Synchronizing Users.
If all members are not synchronized correctly, use the following steps:
- Change the group to be added in Synchronizing Users to a group such as Everyone that is not used for synchronization and contains all users of the group you want to synchronize.
- Create another group containing the same users as the group added in Synchronizing Users and synchronize that group.
Refer to Troubleshooting Group Push.

Check that the "Push Status" for the group that you want to synchronize is set to "Active".

8. Checking the results of automatic synchronization

Click [View Logs] for the created application.

Click [Advanced Filters].

Click [Add Filter], and then add an "eventType" filter to contain "application.provision" ("contains").

Click [Apply Filter], and then check the log.

Notes

User attributes to be synchronized.

The following attributes are supported:

Attribute	Attribute Type	Value	Apply on	Attribute in RICOH Smart Integraion	Required	Remarks
Username	Personal	Configured in Sign On settings	-	User ID	Required	Any characters other than single-byte alphanumeric characters, hyphen (-), and period (.) are replaced with an underscore (_), and the portion preceding the @ sign is matched. If the first character is a hyphen (-), the hyphen (-) is replaced with an underscore (_). If there is a duplicate user in the same tenant, the @ sign is replaced with an underscore (_), and the entire value in the Microsoft Entra ID property is matched. If there is a duplicate user even though the portion succeeding the @ sign is included, a random four-digit value is added to avoid duplication.
Email	Personal	user.email	Create and update	Email address	Required
Primary email type	Personal	(user.email != null && user.email != '') ? 'work' : ''	Create and update	Information for synchronizing email address	Required
Given name	Personal	user.firstName	Create and update	Given name	Required	If the value for this property is not specified on Okta and one of the following conditions is met, synchronization may not occur: The users use this service and are not marked as "registered". The users' email addresses do not match between this service and Okta.
Family name	Personal	user.lastName	Create and update	Family name	Required	Same as above
Department	Group	user.department	Create and update	Department	Optional	Same as above
Formatted	Personal	user.postalAddress	Create and update	Office Location	Optional
Address type	Personal	"work"	Create and update	Information for synchronizing office location	Optional	If the value entered for this property exceeds the maximum number of characters, only the portion from the beginning to the maximum is used.
extensionAttribute1 ~ extensionAttribute15	Personal	User attributes that can be added	Create and update	User Optional Information 1 to 15	Optional	Refer to User attributes that can be added.

Group attributes to be synchronized.

The following attributes are supported:

Attribute	Attribute in RICOH Smart Integraion	Remarks
name	Group name	If the value entered for this property exceeds the maximum number of characters, only the portion from the beginning to the maximum is used.

Group member information is also synchronized. Members not synchronized from Okta are not affected.
Group ID and description are not synchronized. Each initial group ID is a random character string.
RICOH Smart Integration is not synchronized to Okta. If you updated the information only in RICOH Smart Integration, manually correct it in Okta or resynchronize.

User attributes that can be added

The following attributes are supported:

If user optional information exceeds the maximum number of characters, the portion from the beginning to the maximum of the information is used as the user optional information.
If the value for this property is not specified on Okta and one of the following conditions is met, synchronization may not occur:
- The users use this service and are not marked as "registered".
- The users' email addresses do not match between this service and Okta.

Display Name	Variable Name	Remarks
Middle name	user.middleName
Honorific prefix	user.honorificPrefix
Honorific suffix	user.honorificSuffix
Title	user.title
Display name	user.displayName	If Display name has no value set so far, "user.firstName{single-byte space}user.lastName" is synchronized. However, please note that this depends on the Okta specifications and it may change.
Nickname	user.nickName
Profile Url	user.profileUrl
Secondary email	user.secondEmail
Mobile phone	user.mobilePhone
Primary phone	user.primaryPhone
Street address	user.streetAddress
City	user.city
State	user.state
Zip code	user.zipCode
Country code	user.countryCode
Preferred language	user.preferredLanguage
Locale	user.locale	If this item has no value set, it is set to "en_US". However, please note that this depends on the Okta specifications and it may change.
Time zone	user.timezone
User type	user.userType
Employee number	user.employeeNumber
Cost center	user.costCenter
Organization	user.organization
Division	user.division
ManagerId	user.managerId
Manager	user.manager

Known Issues

N/A