Problem:
When trying to configure the CyberArk SCIM server implementation to sync users from OKTA, the integration fails with an unknown/empty error, even though the users are created in the vault.
Solution:
The CyberArk SCIM integration allows the sync of OKTA users to be used as logon accounts in CyberArk. This integration based on API calls to the SCIM server to run the user management tasks.
This takes into account that the SCIM server + OKTA integration configured and running based on the implementation guides:
CyberArk SCIM - https://cyberark-customers.force.com/mplace/s/#a3550000000EiAfAAK-a3950000000jjT7AAI
OKTA Integration - https://cyberark-customers.force.com/mplace/s/#a352J000000p63XQAQ-a392J000001h432QAA
The problem with the sync seems to be the fact that the SCIM server doesn't create the required ExternalIDs.yml file in the vault. In order to get this to work, you will need to create the yml yourself in the correct structure.
- Open the Privateark Client, login and go to the "SCIM Config" safe.
- Download the Users-InternalIDs.yml file to the desktop
- Open the file with a text editor such as Notepad++ and remove all mapping except 1, that we will set with a custom name
- Rename the file to Users-ExternalIDs.yml and upload the file back to the SCIM Config safe
- Restart the SCIM server and now all users should be synced successfully.
Note, you will get an error message after the sync in the logs saying that test doesn't exit, which is true. You can edit the file again to remove our test line while keeping all the other lines intact.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article