Help / Security and Privacy /

Okta SCIM with Condens

You can set up SCIM to automatically create users in Condens once they are added to the application in Okta and set users inactive in Condens once they are removed from the Condens application in Okta.

Before you enable SCIM, it is recommended to select an auto provisioning role in Condens. This is the default role that users get assigned when they are provisioned to Condens.

To enable SCIM in Condens, simply go to Settings > Security & Login, then select SCIM provisioning > Enabled.

In Okta, open the Condens application and click on General. Then click on Edit (next to “App Settings”), check Enable SCIM provisioning, and then click Save.

A Provisioning tab will appear in Okta. Click on it and then click on Edit.

  • Copy the SCIM base connector URL from Condens and paste it into Okta under the SCIM connector base URL

  • Next to the Unique identifier field for users enter userName

  • Check Push New Users and Push Profile Updates

  • Select HTTP Header as Authentication Mode

  • Copy the SCIM bearer token from Condens and paste it in Okta next to Bearer

Then click on Save.

In the screen that opens, click on Edit (next to “Provisioning to App”). Then enable Create Users, Update User Attributes, and Deactivate Users. After that click on Save.

User Roles

Using SCIM with Okta, it's possible to set the role of users directly from Okta.

  1. In Okta, select the Condes SSO App under Directory > Profile Editor.

  2. Click Add Attribute in the Attributes section to add the user roles mapping.

  3. Fill out the form so that it reflects the below settings.

    • Display name: Condens Role (can be anything)

    • Variable Name: pick the variable name you want to use

    • External Name: roles.^[primary==true].value

    • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User

    • Enum: Yes

    • Enter the Condens roles as attribute members. Make sure the value is exactly as below and lower-case.

      • Display name: Admin, Value: admin

      • Display name: Contributor, Value: contributor

      • Display name: Limited Access Contributor, Value: limited_access_contributor

      • Display name: Full Access Viewer, Value: full_access_viewer

      • Display name: Viewer, Value: viewer

      • Display name: Non-Research Admin, Value: admin#nonresearch

      In March 2025, Condens changed the names of some roles. For SCIM connections set up before that date, the old Condens role names (researcher, full_access_stakeholder, stakeholder) still work and are mapped to the new names (contributor, full_access_viewer, viewer):

    • Attribute length: you can leave that empty

    • Attribute requires: Yes

    • Attribute type: Select this depending on your setup and preferences

    Then click "Save"

  4. Once this is done, you can assign a user role to each user during the application assignment, either directly or via mapping.

It is also possible to assign user groups through SCIM. For that, the "groups" property should be set and the values should match the names of the groups the user should be assigned to.

Didn't find what you're looking for? Send us a message and we'll get back to you.
Contact us