How to configure user provisioning with the SCIM v2 API

User provisioning allows you to synchronize user accounts between your IdP and Talentlms using the SCIM v2 API. Common usage scenarios include pushing new users to Talentlms, activating/deactivation them and updating user profiles automatically. This saves time and ensures that your users' access privileges maintained in a centralized place. Currently Talentlms support Okta's user provisioning mechanism but in the future it will support additional providers that are compatible with SCIM v2 API.

Note: Our integration with OKTA is at an acceptance stage. We anticipate that it will be live within the next couple of day.

Configuring User Provisioning with Okta

This guide provides the steps required to configure Provisioning for Talentlms, and includes the following sections:
  • Features
  • Requirements    
  • Configuration Steps
  • Known-issues and Troubleshooting Tips
Features
The following provisioning features are supported:
  • Push New Users
    New users created through OKTA will also be created in Talentlms.
  • Push Profile Updates
    Updates made to the user's profile through OKTA will be pushed to Talentlms.
  • Push User Deactivation/Activation
    Deactivating the user or disabling the user's access to the application through OKTA will deactivate the user in Talentlms. Note that deactivating a user means changing users status from active to inactive. User account is not deleted. Activation of user accounts is also supported.
  • Import New Users
    New users created in Talenlms will be downloaded and turned into new Okta users. If the Okta user already exists, the two accounts will automatically be linked. Imported users are assigned Talentlms Okta App access when they are confirmed on the Import tab. User import is not scheduled by default.
  • Push Password Updates
    Updates made to the user’s password through OKTA will be pushed to Talentlms.
Requirements
Before you configure provisioning for Talentlms, make sure that you have succesfully configured SSO with Talentlms in Account&Settings -> Users section. Click on the “Save and check your configuration” button to ensure that the SSO login is succesfull and all required user attribute/value pairs are returned from Okta. Username (TargetedId) as well as email must be unique among the Okta users.

Configuration Steps
Configure your Provisioning settings for Talenltms as follows:
  1. Check the Enable provisioning features box.
  2. API Credentials


    In Api Key, type the key found in Account&Settings -> Users -> Single Sign-On (SSO) -> Enable SCIM v2 user provisioning

  3. Scroll down and select the Provisioning Features you want to enable.
  4. Click Next
    You can now assign people to the app (if needed) and finish the application setup.
Known-issues and Troubleshooting Tips
  • If 'Time zone' and 'User type' is not defined for a specific user, then Talentlms user account will get default values. The default time zone can be defined in Account&Settings -> Basic settings -> Locale -> Default time zone. The default user type can be defined in Account&Settings -> Users -> Default user type. The respective default values for branches can be defined in branch edit page.
  • After deleting a provisioned user account in Talentlms and in order to avoid the email uniqueness warning when trying to push a new user through user provisioning, you must ensure that the deleted account is permanently deleted. Refer to the following article on how to do it: How to permanently delete a User/Course
  • Changing the username of an already assigned to the Talentlms app, user from “Edit user assignment” page will update the username of the existing Talentlms user account. However, that operation is not fully supported from Okta and thus it is strongly advised to avoid changing username for already assigned users from “Edit user assignment” page. Instead you can change the username from the user’s profile which however will affect the username on all assigned to that user apps (including Talentlms).

  • It is possible to get the following error when trying to push a user to your Talentlms domain through the SCIM v2 API: "A user with the same email address already exist". This error may be thrown under the following scenarios:
    1. there is already a Talentlms user account with that specific email referring to the same user. However, the Talentlms username is different compared to the username that Okta tries to push. In this case Talentlms will try to create a new user account since the username matching has failed resulting in this error due to email uniqueness rule among Talentlms user account. To solve this issue you just need to change username (in Okta or in Talentlms) so as both of them to be exactly the same.
    2. you have recently deleted a user in Talentlms with that specific email.  When deleting users in Talentlms they are not permanently deleted in order to be able to restore them in case of a mistake. However, email uniqueness rule still applies to all users (including temporarily deleted). To solve this issue you just need to permanently delete the user with the same email.
    Refer to the this article for more details on how to do it: How to permanently delete a User/Course

Disclaimer
This integration with Okta is currently available only to a limited number of customers.

Feedback and Knowledge Base