Skip to main content
SCIM (System for Cross-domain Identity Management) keeps Bifrost in sync with Okta in real time — new users are provisioned, deactivated users are suspended, and group memberships are updated without waiting for the next login or background sync.
Complete SSO using OIDC before setting up SCIM. Okta does not support SCIM on a custom OIDC app, so SCIM runs as a separate app alongside your existing OIDC integration.

Step 1: Enable SCIM in Bifrost

1

Open your Okta provider

In your Bifrost dashboard, go to GovernanceUser Provisioning and open your configured Okta provider.
Bifrost Okta provider dashboard showing connection details and attribute mappings
2

Enable SCIM provisioning

Click the settings icon to open Provider Configuration.Toggle on Enable SCIM Provisioning and click Save & Enable.
Bifrost Provider Configuration with Enable SCIM Provisioning toggle turned on
3

Copy the SCIM credentials

After saving, Bifrost shows a Setup Complete dialog with:
  • SCIM Endpoint URL — the base URL Okta will send provisioning requests to
  • Provisioning Token — the bearer token Okta uses to authenticate
Copy both values now — you will need them in Step 3.
Bifrost Setup Complete dialog displaying the SCIM Endpoint URL and one-time Provisioning Token
The provisioning token is only shown once. Store it somewhere safe before closing this dialog. You can always rotate it later, but the previous token will immediately become invalid.

Step 2: Create a SCIM App in Okta

1

Browse the App Catalog

In the Okta Admin Console, go to ApplicationsApplications and click Browse App Catalog.
Okta Applications page with Browse App Catalog button highlighted
2

Add the SCIM 2.0 Test App

Search for SCIM 2.0 Test App (Header Auth) and add it.
Okta App Catalog search results with SCIM 2.0 Test App (Header Auth) highlighted
Name the app Bifrost SCIM (or any label you prefer). On the sign-on options screen, skip everything and click Done — this app is used for SCIM provisioning only, not authentication.

Step 3: Configure the SCIM App

1

Connect the app to Bifrost

Open the Bifrost SCIM app and go to the Provisioning tab.Click Configure API Integration, check Enable API Integration, and enter:
  • SCIM 2.0 Base URL: the SCIM Endpoint URL from Step 1
  • API Token: the Provisioning Token from Step 1
Click Test API Credentials to verify the connection, then Save.
Okta SCIM app Configure API Integration dialog with Base URL and API Token fields filled in
2

Enable provisioning actions

Still under the Provisioning tab, go to To App and enable:
  • Create Users
  • Update User Attributes
  • Deactivate Users
Click Save.
Okta Provisioning To App section with Create Users, Update User Attributes, and Deactivate Users enabled
3

Add custom attributes (optional)

Skip this step if you only need to sync standard user fields (name, email, groups).
Custom attributes need to be declared in the SCIM app schema before Okta can include them in provisioning payloads.Go to DirectoryProfile Editor and select the Bifrost SCIM app profile. Click Add Attribute.
Okta Profile Editor for the Bifrost SCIM app showing the Add Attribute and Mappings buttons
Configure the attribute — for example, for Employee ID:
FieldValue
Display nameEmployee ID
Variable nameemployeeID
External nameemployeeID
External namespaceurn:ietf:params:scim:schemas:extension:enterprise:2.0:User
Add Attribute dialog with Display name Employee ID, Variable name employeeID, and External name employeeID filled in
Click Save, then click Mappings on the Bifrost SCIM profile.
Bifrost SCIM Attribute Mappings screen with Go to Profile Editor and Force Sync buttons
Select the Okta User → Bifrost SCIM tab.
Okta User to Bifrost SCIM mapping direction tab showing attribute mapping fields
Scroll to find your attribute and set its source from the Okta user profile — e.g. user.employeeNumberemployeeID. Click Save Mappings.
Attribute mapping row showing user.employeeID mapped to the employeeID SCIM attribute
Back in Bifrost, go to Attribute Mapping in the provider setup and add a SCIM Attribute entry for employeeID. The External name you set in Okta must match this exactly.
Bifrost Attribute Mapping step showing SCIM Attributes section with employeeID custom attribute entry
The External name in Okta’s Profile Editor and the SCIM attribute name in Bifrost must match exactly — including case.

Step 4: Assign Users and Push Groups

1

Assign users

Go to the Assignments tab in the Bifrost SCIM app.Click AssignAssign to People or Assign to Groups and select the users or groups to sync with Bifrost.
Bifrost SCIM app Assignments tab with Assign dropdown showing Assign to People and Assign to Groups options
Assigned users are pushed to Bifrost immediately. When a user is unassigned or deactivated in Okta, Bifrost deactivates them in real time.
2

Push groups (for team and BU mapping)

If you use group membership to drive Bifrost team or business unit assignments, you need to push the groups themselves — not just the users in them.Go to the Push Groups tab in the Bifrost SCIM app and click Push Groups.You can push groups by name (search for specific groups) or by rule (create a filter that automatically pushes any matching groups — useful if your groups follow a naming convention like Bifrost-*).
Push Groups tab showing Find groups by name and Find groups by rule options
Push Groups by rule dialog with Rule name Bifrost Groups and Group name filter starting with Bifrost
Once groups are pushed and showing as Active, Bifrost tracks their membership in real time.
Push Groups list showing Bifrost-Admin and Bifrost-Viewer groups with Active push status
In Bifrost, configure Attribute-to-Team or Attribute-to-Business Unit mappings using the group displayName as the match value to automatically assign users to teams or business units based on their group membership.

Step 5: Verify in Bifrost

Once assignments and group pushes are active, confirm everything is syncing correctly.
  • Go to GovernanceUsers to see provisioned users and their assigned roles
  • Go to GovernanceTeams to see teams populated from pushed groups
  • Go to GovernanceBusiness Units to see business units resolved from group or attribute mappings
Changes in Okta — new assignments, group membership updates, deactivations — will reflect in Bifrost in real time.

How Sync Works

Real-time push — Okta pushes user and group changes to Bifrost immediately when they occur. Background reconciliation — if you configured an API token in SSO using OIDC Step 4, Bifrost also runs a full reconciliation every 24 hours to catch anything the SCIM push may have missed.

Troubleshooting

Test API Credentials fails — verify the SCIM Base URL has no trailing slash and the API token matches exactly what Bifrost generated. Rotate the token in Bifrost and update Okta if needed. Users are pushed but have no role — SCIM provisions the user record; role assignment comes from attribute mappings in the OIDC provider. Confirm your Attribute-to-Role mappings are set and the relevant claims are present in the JWT. Custom attribute is not arriving in Bifrost — confirm the External name in Okta’s Profile Editor matches the SCIM attribute name in Bifrost exactly (case-sensitive). Also verify the Okta User → Bifrost SCIM mapping direction is saved. Group membership is not syncing — ensure groups are added under Push Groups, not just Assignments. Assignments sync users; Push Groups syncs group membership.