How To Enable And Use Okta SCIM With Bynder

Summary

Bynder supports SCIM functionality, including creating, updating and deactivating user accounts with Okta. SCIM, or System for Cross-domain Identity Management, is an open standard designed to automate the process of user identity management and provisioning across different cloud-based services and applications. 

Note: SCIM functionality can only be set up correctly when Single Sign-On is already configured.

Who?

This feature/solution is enabled by a Bynder Admin.

Don't have Bynder yet? Start Here.

Users with the Manage Users, Manage Portal Settings and Manage OAuth apps permissions can manage SCIM.

Why?

Bynder takes security seriously. We also understand that staying secure and up-to-date can be an immense workload.  SCIM handles automatic updates to user information stored in the Bynder portal whenever changes occur in the central identity provider (IdP), without the need of user logging in. SCIM capabilities within Bynder save time and increase portal management efficiency. 

How?

Enabling SCIM In Bynder

  1. Create a dedicated user account specifically for SCIM related operations. Ensure the permission profile of this user is set to Administrator, or at least a profile that has the Manage Portal Settings, Manage users and Manage OAuth apps permissions.
    • This ensures that changes made via SCIM are kept separate from modifications performed through Bynder's User Management. By enabling SCIM, you acknowledge and accept that all tracked changes will be associated with the user account linked to the generated token.
  2. Log in as the SCIM user.
  3. Navigate to Advanced Settings -> Portal Settings -> OAuth Apps.
  4. Click on add new app.
  5. Provide an application name (required) and a description (optional).
  6. Select SCIM: Okta as the integration.
  7. Select the grant type supported by your IdP.

  8. Add the redirect URI and press +.

    For Okta use all URIs provided in the Okta documentation:

    https://system-admin.okta.com/admin/app/cpc/{appName}/oauth/callback
https://system-admin.okta-emea.com/admin/app/cpc/{appName}/oauth/callback
https://system-admin.oktapreview.com/admin/app/cpc/{appName}/oauth/callback
https://system-admin.trexcloud.com/admin/app/cpc/{appName}/oauth/callback
https://system-admin.okta1.com:1802/admin/app/cpc/{appName}/oauth/callback

9. The scopes are preselected for you to support SCIM integration. Click Register application.

10. Copy the Client ID and Client Secret and store it safely. You will never see your Client Secret in Bynder’s UI again.

Okta Setup

  1. Ensure you have an App Integration for Bynder in Okta with the provisioning type set to SCIM.
  2. Create a SCIM token in the Bynder Portal (see section above).
  3. Configure the SCIM provisioning integration settings in Okta:
  • Base URL: Specify the SCIM service URL for your targeted Bynder portal https://yourportaldomain.com/api/2/scim
  • Unique Identifier Field for Users: userName
  • Supported Provisioning Actions:
    • Import New Users and Profile Updates: Import data from Bynder to Okta.
    • Push New Users: Create users.
    • Push Profile Updates: Update user information.
  • Authentication Mode: OAuth2
  • Access Token Endpoint URI: https://yourportaldomain.com/v7/authentication/oauth2/token
  • Authorization Endpoint URI:
    https://yourportaldomain.com/v7/authentication/oauth2/auth?scope=admin.user:read admin.user:write offline
  • Client ID and Client Secret: Input the credentials generated during the Bynder OAuth2 app creation.
  1. Authenticate the connection.
  2. Configure allowed actions in the Provisioning tab of your Okta application:
  • Create Users
  • Update User Attributes
  • Deactivate Users

Okta Username Limitations:

  • Having multiple users in Okta with the same username that only differs by letter casing might cause conflicts and access issues for those users and thus should be avoided.
  • When a username is changed in Okta, this will trigger the creation of a new user in Bynder portal.
  • If a username is changed in Okta to the same value but with different letter casing, it will trigger deactivation of that user in the Bynder portal. Attempting reactivation will not succeed. If this happens please reach out to Bynder support.

Tracking Changes Done Through SCIM

  1. Open the user profile of the SCIM dedicated user account and copy the ID from the browser URL, alternatively, use the email of the SCIM user.
  2. Navigate to Reporting -> Change history.
  3. Filter by the Responsible user email or Responsible user ID. The visible results are changes performed by your SCIM-dedicated account.

FAQs

Will users who are deactivated or deleted in the IdP be automatically deactivated in Bynder’s portal?

Users who are either deactivated or deleted in IdP will get deactivated in Bynder. We do not support permanent deletion via SCIM. To permanently delete a user, please do it through the Bynder User Management UI.

Can Admins create users with SCIM that will not use SSO for logging in?

No, Bynder supports user creation via SCIM only for users who will be logging in through SSO. However, modifying users via SCIM can be done for both SSO users and those logging in with login credentials.

How are new users profiles set up when created?

New users created through SCIM will have the default profile that was selected by the Admin within the Permissions Management page not within the SSO configuration. As long as you use SSO with Just in time provisioning and have profile or group mapping set up, these values will be updated upon the next login.

image-20260223-141416.png

 

What attributes can be updated in Bynder via SCIM and vice versa?

Bynder supports updating username, email, first name, last name, and active status (Active/Inactive) via SCIM. Any other user attributes cannot be updated via SCIM. This will not work in reverse, and updating the userName attribute in Bynder will break the SCIM integration.

Can we set up group and profile mapping?

No, group and profile mapping cannot be configured directly through the SCIM protocol. However, if you have an active Just-in-Time (JiT) mapping configuration through your SSO setup, these mappings will be applied the next time the user logs in. SCIM handles the account creation/activation, while SSO/JiT handles the attribute-based permission assignments.

Can I reactivate a user?

Users who have been deactivated for less than 180 days will not be eligible for reactivation through SCIM, even if they are reactivated in the IdP.

Can SCIM deactivate users from the existing user base in Bynder portal or only future users that were created through SCIM after it has been enabled?

All existing users will be supported, as long as they are SSO users.

Related Articles

How To Redirect Single Sign-On (SSO) Logins

How To Configure SAML, OpenID, And Google Single Sign-on (SSO)

How To Enable And Use Azure SCIM With Bynder

Level: Proficient

Proficient-level articles are for users who have some prior Bynder knowledge. These articles require you to know the basics and may also require higher-level portal rights to accomplish the task outlined within the article. 
 

Updated