Help / Security and Privacy /

Okta SCIM with Condens

You can set up SCIM to automatically create users in Condens once they are added to the application in Okta and set users inactive in Condens once they are removed from the Condens application in Okta.

Before you enable SCIM, it is recommended to select an auto provisioning role in Condens. This is the default role that users get assigned when they are provisioned to Condens.

To enable SCIM in Condens, simply go to Settings > Security & Login, then select SCIM provisioning > Enabled.

In Okta, open the Condens application and click on General. Then click on Edit (next to “App Settings”), check Enable SCIM provisioning, and then click Save.

A Provisioning tab will appear in Okta. Click on it and then click on Edit.

  • Copy the SCIM base connector URL from Condens and paste it into Okta under the SCIM connector base URL

  • Next to the Unique identifier field for users enter userName

  • Check Push New Users and Push Profile Updates

  • Select HTTP Header as Authentication Mode

  • Copy the SCIM bearer token from Condens and paste it in Okta next to Bearer

Then click on Save.

In the screen that opens, click on Edit (next to “Provisioning to App”). Then enable Create Users, Update User Attributes, and Deactivate Users. After that click on Save.

User Roles

Using SCIM with Okta, it's possible to set the role of users directly from Okta.

  1. In Okta, select the Condes SSO App under Directory > Profile Editor.

  2. Click Add Attribute in the Attributes section to add the user roles mapping.

  3. Fill out the form so that it reflects the below settings.

    • Display name: Condens Role (can be anything)

    • Variable Name: pick the variable name you want to use

    • External Name: roles.^[primary==true].value

    • External Namespace: urn:ietf:params:scim:schemas:core:2.0:User

    • Enum: Yes

    • Enter the Condens roles as attribute members. Make sure the value is exactly as below and lower-case.

      • Display name: Admin, Value: admin

      • Display name: Contributor, Value: contributor

      • Display name: Limited Access Contributor, Value: limited_access_contributor

      • Display name: Full Access Viewer, Value: full_access_viewer

      • Display name: Viewer, Value: viewer

      • Display name: Non-Research Admin, Value: admin#nonresearch

      icon lightbulb

      In March 2025, Condens changed the names of some roles. For SCIM connections set up before that date, the old Condens role names (researcher, full_access_stakeholder, stakeholder) still work and are mapped to the new names (contributor, full_access_viewer, viewer):

    • Attribute length: you can leave that empty

    • Attribute requires: Yes

    • Attribute type: Select this depending on your setup and preferences

    Then click "Save"

  4. Once this is done, you can assign a user role to each user during the application assignment, either directly or via mapping.

User Groups

Condens does not currently support Okta Push Groups through SCIM. However, Okta can assign provisioned users to existing Condens user groups by sending group names on the SCIM User object.

The user groups need to exist in Condens before Okta sends them. Condens matches the values sent by Okta with the names of Condens user groups.

To configure this in Okta:

  1. In Okta, go to Directory > Profile Editor and open the Condens app profile.

  2. Click Add Attribute.

  3. Add an attribute for the Condens user group value you want to send:

    • Display name: Choose any name, for example "Condens Group"

    • Variable name: Choose any variable name, for example "condensGroup"

    • External name: groups.^[type=='condens_group'].value (Here 'condens_group' is an arbitrary technical label. It does not need to match an Okta

        group, an Okta user attribute, or a Condens user group)

    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User

    • Attribute type: Select Group if you want to set the value through Okta group assignments. Select Personal if you want to set it per assigned user.

  4. Set the value of the attribute to the exact Condens user group name. You might need to use Okta expressions to map Okta user properties to match the exact group names from Condens

Notes

  • The value must match the Condens user group name exactly.

  • Condens matches by group name, not by Okta group ID.

  • Condens does not create, rename, or delete Condens user groups based on Okta group data.

  • Okta Push Groups and SCIM /Groups synchronization are not supported.

  • To remove a user from all Condens user groups, update the user in Condens. SCIM group assignment is intended for assigning one or more existing Condens user groups.

Didn't find what you're looking for? Send us a message and we'll get back to you.
Contact us