Skip to main content

Connecting Vanta & Okta (SCIM)

This article goes over how to setup the Okta SCIM Integration and Vanta

Updated this week

Through the Vanta and Okta SCIM Integration, you can create a connection to import your employees seamlessly into Vanta.

Step 1: Enable SCIM in Vanta

  • Open the Vanta console and click the gear icon on the top right corner

  • Then click the Login and Security option on the left hand menu


  • Scroll to the User provisioning table and click the Enable Toggle to turn on SCIM for your account

  • Next right click and open the View the Admin Portal in a new tab

  • Search for Okta and select it from the Select your identity provider drop-down menu. This will take you to a page with instructions on how to configure your Okta Application:

  • Do not close this tab, we will be configuring an application in Okta next and will need values from the Admin Console for said application.

Step 2: Create SCIM Application in Okta

If you have already setup an Okta SSO Application from the Marketplace (see example below):


You have the ability to use the existing Vanta SSO app for user provisioning, but it has limited functionality. Vanta strongly recommends creating a dedicated SCIM app instead, because the SSO app does not support Push Groups.

A dedicated SCIM app enables full support for group sync and team management in Vanta.If you want to continue without Push Groups, skip creating a new SCIM app and proceed to Step 3. To follow the recommended setup, complete the steps below:

  • As an Okta Admin, log into your company's Okta account in a new Tab

  • From the left-hand navigation panel, select Applications

  • Select Browse App Catalog

  • Search for SCIM 2.0 Test App (OAuth Bearer Token) application and select it

  • Select Add Integration

  • Title the App integration name

    • We recommend using a name that signifies its relation to Vanta

  • Select Next

  • Many applications will work with the default configuration that is set on your new application. You should be able to leave the Sign-On Options as default and click done.

    • If you require any additional configuration for your directory, such as configuring attribute statements, do so on the Sign-On Options page.

      When you have completed configuring the application, click Done.


Step 3: Configure the API Integration in Okta

  • In Okta go to your application, select the Provisioning tab and then click Configure API Integration.


  • Next select the Enable API Integration option.

  • Head back to the Admin Portal tab (from Step 1) and in that menu head to step 2. On the bottom of the page you should be able to locate the SCIM 2.0 Base Url and OAuth Bearer Token fields.



  • Copy the values below and paste them into their respective fields in the Okta admin console


  • Click the test API Credentials button

    • You should see a "SCIM 2.0 Test App (OAuth Bearer Token) was verified successfully!" message. If you do not please confirm the values you provided are correct.

  • Click Save and then head back to the Admin Portal tab in your browser.

Step 4: Configure Provisioning Actions

  • In the admin portal go to step 3

  • This will require you to go to Okta, head back to the Applications page and search then select the SCIM App you created or the Vanta SSO App if you are using it to provision users.

  • Select the Provisioning Tab and then Select the To App tab in the left navigation menu.

  • Click Edit

  • Enable the following actions and Select Save:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  • Head back to the Admin Portal tab and click the continue button on the bottom of the screen

Step 5: Configure Custom Attribute in Okta

  • The Admin portal is going to prompt you to Assign People and Groups to the app. Do NOT do this yet, the custom attribute needs to be setup first.

  • Return to Okta and on the left hand menu under Directory select Profile Editor and search for your application:

  • Select the +Add Attribute button

  • Set the Data type to string

  • For the display name enter a human readable label so administrators can understand what this attribute is used for.

  • For variable name. and external name, we recommend using a name that signifies its relation to Vanta such as vanta_roles or rbac_role_id. Make note of this variable name as we will need it in a later step.


  • Next enter urn:ietf:params:scim:schemas:core:2.0:User for the External namespace field

  • Enter a description (optional) similar to the Display Name field this should be human readable and clear so administrators know what this attribute is used for.

  • Next select the checkbox for Define enumerated list of values

  • You will then have to enter a role name followed by a roleID value for each role you expect to assign to users.

  • You can find the role names, and their IDs by going back into Vanta, clicking the Gear Icon in the top right, then selecting Login and security for the left hand menu and selecting the "Roles" tab in the User provisioning table:

  • You do not need to add every single role, only the roles you expect to grant to your users.

    • At a minimum the Admin role needs to be granted to prevent administrators from being locked out of Vanta.

  • Lastly you need to select the Attribute type, this is telling Okta where the role will be specified. This is either done individually on a users profile directly, or at the group level.

    • We suggest adding it at the group level for less overhead.

  • Click Save once complete

Step 6: Assigning SCIM application in Okta

You can now add your User Assignments for SCIM Provisioning:

  • Go to your SCIM application in Okta

  • Select the Assignments tab and click Assign.

  • From there, assign the Okta application to the proper users/groups

    • We recommend organizing groups based on the roles users will have in Vanta. For example, place all administrators in one group, all editors in another, and so on.

  • When assigning the application to groups, you will need to scroll down to select the role that users in this group should receive. This role is passed to Vanta through the custom attribute you configured earlier in the setup process. For example, assigning the application to a group named Vanta-Admins will grant those users the Admin role via the vanta_roles attribute.

  • Next, configure group priority. You can do this by going to the Assignments tab, selecting groups and then dragging the desired groups up or down.

  • This is needed because If the application is assigned to multiple groups and some employees belong to more than one group, the priority value is used to decide which role they are assigned.

  • Best practice is to have the group that is assigned the highest-privileged role (Administrator) have a priority of 1, followed by the group with the next highest-privileged role at 2, and so on. Groups with lower-privileged roles should have lower priority—for example, the Employee group would have the lowest priority, and should be last in the ordering, followed by the Collaborator group with the second-lowest priority and so on.

  • Once complete head over to the Admin Portal tab and click the continue button to head over to Step 5.

Step 7: Push Groups

This is only available if you created a new SCIM application instead of using the existing Vanta SSO app. If you used the Vanta SSO App, please go to Step 9.

  • Return to Okta, and go to your SCIM Application. Select the Push Groups tab in the top navigation menu. Click the Push Groups button. Select Find groups by name.

  • Locate your desired group, select it and click Save to push your group to Vanta. Repeat for all other groups.

  • Once complete, go back to the Admin Portal and click continue to move on to Step 6

Step 8: Specify Custom Attribute in Work OS Admin Portal

  • Vanta automatically receives basic user details like name and email, so you don’t need to configure those. You will, however, need to add a custom attribute to your SCIM application in Okta. Vanta uses this attribute to determine which role to assign to each user or group.

  • You created this attribute back in step 5 of these instructions.

  • You will paste the attribute name you set in Okta in the Directory Provider Value field in Step 6 in the Admin portal

  • Select Save Custom Attributes

  • Once complete, you can then head to the Admin Portal tab and click the continue button to move on to step 7.

Step 9: Map Groups to Roles in Admin Portal (Optional)

  • WorkOS allows you to map the groups fetched from Okta to specific roles in Vanta.

  • We will skip this since a custom attribute was setup specifically for role assignments


Step 10: Test Directory Connection

  • After testing the directory connection you should see a green checkmark along with a green Active status.