Okta SCIM Integration
System of cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.
SCIM Integrations are available for Enterprise organizations. Teams organizations, or customers not using a SCIM-compatible identity provider, may consider using Directory Connector as an alternative means of provisioning.
This article will help you configure a SCIM integration with Okta. Configuration involves working simultaneously with the Bitwarden web vault and Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they are documented.
Are you self-hosting Bitwarden? If so, complete these steps to enable SCIM for your server before proceeding.
To start your SCIM integration, open your organization's Manage → SCIM Provisioning page:
Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.
Create an app
In the Okta Admin Portal, select Applications → Applications from the navigation. On the Application screen, select the Browse App Catalog button:
In the search bar, enter
SCIM and select SCIM 2.0 Test App (Header Auth):
Select the Add Integration button to proceed to configuration.
On the General Settings tab, give the application a unique, Bitwarden-specific label and select Next.
For now, skip the options on this screen and select Done.
Open the Provisioning tab select the Configure API Integration button:
Once selected, Okta will list a few options for you to configure:
Check the Enable API Integration checkbox.
In the Base URL field, enter your SCIM URL (learn more).
In the API Token field, enter your SCIM API Key (learn more).
Check the Import Groups checkbox.
Once you are finished, use the Test API Credentials button to test your configuration. If it passes the test, select the Save button.
Set Provisioning actions
On the Provisioning → To App screen, select the Edit button:
Enable, at a minimum, Create Users and Deactivate Users. Select Save when you are done.
Please note, Bitwarden does not support changing a user's email address once provisioned. Bitwarden also does not support changing a user's email address type, or using a type other than
primary. Learn more.
Open the Assignments tab and use the Assign dropdown menu to assign people or groups to the application. Assigned users and groups will be automatically issued an invitation. Depending on your workflow, you may need to use the Push Groups tab to trigger group provisioning once they are assigned.
Finish user onboarding
The Invite → Accept → Confirm workflow facilitates the decryption key handshake that allows users to securely access organization vault data.