Okta SCIM
System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.
note
SCIM integrations are available for Teams and Enterprise organizations. Customers not using a SCIM-compatible identity provider may consider using Directory Connector as an alternative means of provisioning.
This article will help you configure a SCIM integration with Okta. Configuration involves working simultaneously with the Bitwarden web vault and Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented.
Supported features
The following provisioning features are supported by this integration:
Push users: Users in Okta that are assigned to Bitwarden are added as users in Bitwarden.
Deactivate users: Users with the deactivated status will no longer have access to their assigned apps. Deactivating a user in Okta will change their Bitwarden status to revoked.
Delete user: Users deleted in Okta will be moved to revoked status in the Bitwarden organization.
note
Choosing the suspended status for a user in Okta will not result in a revoked status in Bitwarden.
Push groups: Groups and their users in Okta can be pushed to Bitwarden.
note
Bitwarden does not support changing a user's email address once provisioned. Bitwarden also does not support changing a user's email address type or using a type other than primary. The values entered for email and username should be the same. Learn more.
Enable SCIM in Bitwarden
note
Are you self-hosting Bitwarden? If so, complete these steps to set up SCIM for your server before proceeding.
To start your SCIM integration:
From the Admin Console, go to Settings → SCIM provisioning.
Check Enable SCIM.
Select Save.
Your SCIM URL and SCIM API key will appear, which you will later enter in Okta:
SCIM provisioning
Add the Bitwarden app to Okta
To add Bitwarden within Okta:
From the Okta Admin Portal, go to Applications → Applications.
Select Browse App Catalog.
In the search bar, enter
Bitwardenand select Bitwarden:
Browse app catalog for Bitwarden Select Add Integration, which will open the Bitwarden app's general settings.
Enter a unique, Bitwarden-specific name in Application label.
Check Do not display application icon to users.
Select Done.
Set up provisioning in Okta
To set up provisioning, the following steps must be completed in the same order that's presented here.
Connect your Bitwarden organization
To connect Okta with Bitwarden:
While still on the Bitwarden app configuration page in Okta, select Provisioning.
Select Configure API Integration.
Check Enable API Integration.
Enter details you found earlier in the Bitwarden Admin Console, from Settings → SCIM provisioning:
In the Base URL field, enter your SCIM URL from Bitwarden.
In the API Token field, enter your SCIM API key from Bitwarden.
Enter Bitwarden SCIM URL and API key
Select Test API Credentials. If you see a confirmation message like "Bitwarden was verified successfully!" then your connection works.
Select Save.
Set provisioning actions
To allow specific provisioning actions:
While still on the Provisioning tab, select To App.
Select Edit:
Provisioning to app Check Create Users and Deactivate Users.
Select Save.
(Optional) Customize the Bitwarden Attribute Mappings.
Set Assignments
Open the Assignments tab and use the Assign dropdown menu to assign people or groups to the application. Assigned users and groups will be automatically issued an invitation. Depending on your workflow, you may need to use the Push Groups tab to trigger group provisioning once they are assigned.
Finish user onboarding
Now that your users have been provisioned, they will receive invitations to join the organization. Instruct your users to accept the invitation and, once they have, confirm them to the organization.
note
The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data.