Okta Integration (SCIM)

This guide provides the steps required to configure Okta user provisioning for Leapsome, and includes the following sections:

• Features
• Prerequisites
• Configuration Steps
• Troubleshooting Tips

Features

Automatic User Provisioning is supported for Leapsome.

This enables Okta to:

• Add new users to Leapsome
• Update select fields in users’ profile information in Leapsome
• Deactivate users in Leapsome
• Push groups and memberships to Leapsome

The following provisioning features are supported:

• Pushing New Users: Creating a new user in Okta and assigning them to the Leapsome application will create a new user in Leapsome.
  
  
• Pushing User Profile Updates: Updates to a user in Okta will be pushed to Leapsome.
  
  
• Deactivating Users: Deactivating the user or disabling the user's access to Leapsome within OKTA will deactivate the user in Leapsome.
  
  
• Importing New Users: Users created in Leapsome can be pulled into Okta and turned into new AppUser objects for matching against existing Okta users.
  
  
• Pushing Groups: Groups created in Okta can be pushed to Leapsome. Attributes pushed include name and group members.
  
  
• Pulling Groups: Groups created in Leapsome can be pulled into Okta for reference within Okta.

The sync frequency depends on the source system.

Prerequisites

Before you configure provisioning for Leapsome: 

1. Make sure you have configured the General Settings for the Leapsome app.
2. Enable SCIM in your Leapsome account and generate an Access Token. To do so,
   1. Log in as an administrator, go to the 'Settings' > 'Integrations'
   2. Select 'SCIM user provisioning'
   3. Click 'Save & Create Token'.

Configuration Steps

On the 'Integration' tab, choose the following settings

• Check the Enable provisioning features box.
• API Credentials:
  
  • API Token: Place the Access Token from Leapsome here. 

On the 'To App' tab, enable the following options

• Create users (default username should be set to email)
• Update user attributes
• Deactivate users

In the Leapsome attribute mappings, choose the following settings

On the 'To Okta' tab, choose the following settings

• Schedule import: 'Never'
• Okta username format: 'Email'
• Do not allow 'Profile & Lifecycle Mastering'

You can now assign people to the app and finish the setup. For the initial user provisioning, 2 forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.

Adding attributes

If you wish to sync additional attributes, please click "Go to Profile Editor", followed by "Add attribute".

You can add a number of default Leapsome attributes and custom attributes (see below). Please note their exact external names and the external namespace

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

and choose other properties as you prefer to see them in Okta:

• Location:
  • external name: location
  • required format: string
• Start date
  • external name: startDate
  • required format: string, YYYY-MM-DD
• End date
  • external name: startDate
  • required format: string, YYYY-MM-DD
• Birthday
  
  • external name: birthday
  • required format: string, YYYY-MM-DD
• Level (for skills)
  
  • external name: level
  • required format: string
• Any custom attribute
  • external name: e.g. 6140868326541a4da586db0b 

You can also add custom Leapsome attributes. To do so, please find their respective IDs in the custom attribute list in Leapsome.

Once you have created your attributes in Leapsome, please click on "Mappings", go to "Okta User to Leapsome" and select the properties in Okta that should be mapped to your newly created attributes.

Please note that additional attributes will only be synced on the first update (not creation) run.

Troubleshooting + Support

Cost center and department as 'teams'

Leapsome uses 'teams' to enable filtering of data and reports. If your organization uses the 'cost center' or 'department' attributes, we will therefore automatically create a new Leapsome team for each department or cost center and will automatically add the corresponding users to it.

Manager not syncing? 

Make sure that the manager exists within Leapsome before provisioning. Leapsome will ignore any manager assignments that include managers not present in Leapsome. 

Okta sends the manager information present in the managerId field for a given user. The information in the field can be

• an email address for the manager
• a Leapsome ID for the user
• Okta's ID for the user

Make sure this field is populated.

For the initial user provisioning, 2 forced syncs are recommended: the first sync will create the users and the second sync will update the reporting lines.

Changing a username?

Leapsome depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userName is updated but their email address is not.

Updates or de-provisioning not working for some users? 

This issue may occur when a user was added to Leapsome manually or prior to SCIM being enabled. Please see the 'Users added to Leapsome manually?' below.

Getting an 'Email address already in use?' error when creating a user?

This error may occur when a user was added to Leapsome manually or prior to SCIM being enabled. Please see the 'Users added to Leapsome manually?' below.

Users added to Leapsome manually? 

Users added to Leapsome manually or before SCIM was enabled for the Leapsome account may not be tracked by Okta. To make Okta aware of these users' membership in Leapsome, perform an 'Import' within Okta. Under the Leapsome app in Okta, find the 'Import' tab, and click 'Import Now'.

A list of Leapsome users and possible associations with Okta users will be populated below. Click 'Confirm Assignments' and these users will now be tracked, updated, and de-provisioned by Okta. Please make sure all of the users you would like to import from Leapsome are active as inactive users will not be imported by Okta.