Okta SCIM Integration
System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.
SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.
This article will help you configure a SCIM integration with Okta. Configuration involves working simultaneously with the Bitwarden web vault and Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented. If you're self-hosting Bitwarden, please contact us for help setting up the integration.
The following provisioning features are supported by this integration:
Push Users: Users in Okta that are assigned to Bitwarden are added as users in Bitwarden.
Deactivate Users: When users are deactivated in Okta, they will be deactivated in Bitwarden.
Push Groups: Groups and their users in Okta can be pushed to Bitwarden.
Please note, Bitwarden does not support changing a user's email address once provisioned. Bitwarden also does not support changing a user's email address type, or using a type other than
primary. The values entered for email and username should be the same. Learn more.
Are you self-hosting Bitwarden? If so, complete these steps to enable SCIM for your server before proceeding.
To start your SCIM integration, open your organization's Settings → SCIM Provisioning page:
Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.
In the Okta Admin Portal, select Applications → Applications from the navigation. On the Application screen, select the Browse App Catalog button:
In the search bar, enter
Bitwarden and select Bitwarden:
Select the Add Integration button to proceed to configuration.
On the General Settings tab, give the application a unique, Bitwarden-specific label. Check the Do not display application icon to users and Do not display application icon in Okta Mobile App options and select Done.
Open the Provisioning tab select the Configure API Integration button.
Once selected, Okta will list a few options for you to configure:
Check the Enable API Integration checkbox.
In the Organization ID field, enter your Organization ID, which can be found as the string after
v2/on the SCIM Provisioning screen (learn more).
In the API Token field, enter your SCIM API Key (learn more).
Once you are finished, use the Test API Credentials button to test your configuration. If it passes the test, select the Save button.
On the Provisioning → To App screen, select the Edit button:
Enable, at a minimum, Create Users and Deactivate Users. Select Save when you are done.
Open the Assignments tab and use the Assign dropdown menu to assign people or groups to the application. Assigned users and groups will be automatically issued an invitation. Depending on your workflow, you may need to use the Push Groups tab to trigger group provisioning once they are assigned.
The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data.