{"pageModel":{"attributes":{"id":"","name":"119466.dita","viewName":"DitaDetail"},"elements":{"ditaContent":{"name":"DITAContent","value":"<article id=\"provision-users-and-groups-from-okta\" class=\"topic\">\r\n<h1 class=\"title topictitle1\">Provision Users and Groups from Okta</h1>\r\n<div class=\"body taskbody\">\r\n<p class=\"p\">Cisco Secure Access supports the provisioning of users and groups from the Okta identity provider (IdP).</p>\r\n<p class=\"p\">After you generate your System for Cross-domain Identity Management (SCIM) token in Secure Access, add the SCIM token in the <strong class=\"ph b\">Cisco User Management Connector</strong> app in the Okta portal.</p>\r\n<p class=\"p\">Then, provision users and groups to Secure Access through the app.</p>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Limits and Best Practices</h2>\r\n<ul class=\"ul\">\r\n<li class=\"li\">Secure Access supports provisioning a maximum of 1000 groups from Okta. Any groups beyond this number that are in scope are not provisioned. Secure Access does not restrict the number of users that you can provision from Okta. For more information, see  <a data-scope=\"\" target=\"\" href=\"docs/csa/olh/118830.dita\" title=\"\">Limitations and Range Limits</a>.</li>\r\n<li class=\"li\">To ensure that all users are provisioned, assign the <strong class=\"ph b\">Everyone</strong> group to the <strong class=\"ph b\">Cisco User Management Connector</strong> app. You can push other additional groups for group-based Secure Access rule enforcement.</li>\r\n<li class=\"li\">Okta does not support nested groups.</li>\r\n<li class=\"li\">If you previously imported groups from the on-premises AD and push the same groups from Okta, the groups from Okta do not overwrite the groups imported from the on-premises AD. You must reassign any group-based Secure Access policy rules to the groups imported from Okta.</li>\r\n<li class=\"li\">Provisioning large numbers of users and groups to Secure Access may take several hours.</li>\r\n<li class=\"li\">After the initial provisioning of users and groups, it can take up to one hour for subsequent changes to users and groups to reflect in Secure Access.</li>\r\n<li class=\"li\">Concurrent synchronization of the same users and groups from the on-premises AD and the <strong class=\"ph b\">Cisco User Management Connector</strong> app is not supported and leads to inconsistent policy enforcement.</li>\r\n<li class=\"li\">For IP-to-user mapping deployments, you must use an on-premises AD Connector. Okta does not store the private IP to AD user mappings.</li>\r\n</ul>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Supported Features</h2>\r\n<p class=\"p\">Secure Access supports these features in Okta:</p>\r\n<ul class=\"ul\">\r\n<li class=\"li\">\r\n<strong class=\"ph b\">Create Users</strong>—New users created in Okta are also created in Secure Access.</li>\r\n<li class=\"li\">\r\n<strong class=\"ph b\">Update User Attributes</strong>—Updates to a user's profile through Okta are pushed to Secure Access.</li>\r\n<li class=\"li\">\r\n<strong class=\"ph b\">Deactivate Users</strong>—Deactivating a user through Okta deactivates the user in Secure Access.</li>\r\n<li class=\"li\">\r\n<strong class=\"ph b\">Group Push</strong>—Groups in Okta are pushed to Secure Access.</li>\r\n</ul>\r\n</section>\r\n<section class=\"section\">\r\n<h2 class=\"title sectiontitle\">Refresh the SCIM Token</h2>\r\n<p class=\"p\">We recommend that you refresh the SCIM token at least once every 90 days and immediately copy the SCIM token to the <strong class=\"ph b\">Cisco User Management Connector</strong> app on Okta.</p>\r\n<p class=\"p\">Refreshing the SCIM token is the responsibility of the administrator. Secure Access does not perform this action.</p>\r\n</section>\r\n</div>\r\n</article>\r\n","ditaVal":"","format":"html"},"bookTitle":{"value":""},"shortDescription":{"value":""}}},"parameters":{"appId":"SecureAccess","topicAlias":"provision-users-and-groups-from-okta"}}