This documentation provides a step-by-step guide to set up automatic user provisioning with Okta. You’ll have to create and configure a new application based on the SCIM protocol. To do so you’ll need to login to your Okta and you also need to login to your company Tresorit subscription to execute certain actions in the Admin Center.
The feature is only available in the Enterprise plan.
Configuring a Tresorit SCIM provisioning application in Okta
Create a new application
In Applications select Browse App Catalog.
Select SCIM 2.0 Test App (Header Auth)
Change application label (e.g. Tresorit SCIM) so that you can identify this application later and press Next.
SAML SSO isn’t supported by Tresorit, so we can skip the settings on the following page, you should set up a separate application if you want to use Okta OIDC SSO with Tresorit.
In the newly created application select the Provisioning tab and enable the feature by clicking on Configure API integration.
Check Enable API integration.
For the next step you have to provide the URL and Token provided by Tresorit. Go to the Tresorit Admin Center, open Settings and click Enable in the Provisioning section.
Copy API credentials (Base URL and API Token) to Okta and select Test API Credentials.
If the entered API credentials are correct, then a success message is displayed and you should select Save.
On the Provisioning tab, select To App in Settings and Enable Create Users and Deactivate Users. Then press Save.
Scroll down to attribute mappings and only leave the following mappings: Username, Given name, Family name, Primary email.
Technical considerations when using Tresorit's provisioning integration
- Newly provisioned users will be automatically assigned to the Default policy template that you can configure in Tresorit Admin Center.
- Updating the user’s name does not have any effect on the Tresorit user. The name provided at registration will be in use.
- In case you change the status of SCIM managed user to Suspended on the Tresorit Admin Center UI it won’t effect their ‘active' attribute in your provisioning application
- Email address of the provisioned Tresorit user cannot be changed in the identity provider. Email address is used as an identifier in Tresorit.
Email domain verification
Although it is not required, we do recommend verifying your email domain for better control over your users. The guide for this feature: How to verify your email domain
📝 Note: Using the Add to subscription automatically option for a verified domain can result in users being added to your subscription outside SCIM provisioning. If you set up provisioning, we recommend setting either Invite only registration or Do not add to subscription for your verified domain.