---
title: "How to integrate Okta to User Provisioning"
slug: "integrate-okta-user-provisioning"
updated: 2026-05-15T10:49:15Z
published: 2026-05-15T10:49:15Z
canonical: "knowledgecenter.docuware.com/integrate-okta-user-provisioning"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledgecenter.docuware.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to integrate Okta to User Provisioning

User provisioning with Okta allows you to automate user lifecycle management in DocuWare through the SCIM protocol. When you assign or remove users and groups in Okta, those changes are automatically reflected in DocuWare — no manual user creation or deactivation required.

You configure this integration in two places: the Okta Admin Console (where you create the SAML/SCIM app integration) and **DocuWare Configuration > General > User Provisioning** (where you enable SCIM and register the Okta application).

The current version of UserSync (v3) supports the following provisioning features:

- **Automatic user creation**: Users assigned to the DocuWare application in Okta are automatically created in DocuWare.
- **Attribute synchronization**: Updates to user attributes (userName, email, active status) in Okta are reflected in DocuWare.
- **User deactivation**: When users are deactivated in Okta, they are marked as disabled in DocuWare and can no longer log in.

## Configure the Okta application

This section covers creating a SAML app integration in Okta and enabling SCIM provisioning on it. The SAML sign-in method is required by Okta to unlock the provisioning tab but is not used for actual authentication.

1. Log in to your Okta organization and open the **Admin** view.
2. Go to **Applications > Applications**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(746).png)

1. Select **Create App Integration**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(747).png)

1. Choose **SAML 2.0** as the sign-in method and select **Next**. This sign-in method is not used for authentication but is required to enable SCIM provisioning.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(748).png)

1. On the **General Settings** tab, enter a name for the app (for example, "DocuWare SCIM") and select **Next**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(749).png)

1. On the **Configure SAML** tab, enter a placeholder URL in both **Single sign-on URL** and **Audience URI**. The actual values do not matter because SAML is not used. You can enter `http://www.okta.com` for both fields. Select **Next**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(750).png)

1. On the **Feedback** tab, select **This is an internal app that we have created** and select **Finish**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(751).png)

1. Open the newly created application. On the **General** tab under **App Settings**, select **Edit**. Set **Provisioning** to **SCIM** and select **Save**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(752).png)

1. Scroll down to **App Embed Link** and copy the ID segment after `/home/` from the embed link. For example, if the embed link contains `/home/trial-5967756_oktascimintegration_1/`, copy `trial-5967756_oktascimintegration_1`. You need this value when configuring DocuWare.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(753).png)

Keep the Okta configuration open and continue with the DocuWare configuration.

## Configure DocuWare user provisioning

1. Go to **DocuWare Configuration > General > User Provisioning**.
2. Enable the **Enable User Provisioning** option.
3. In the **Identity Provider** dropdown, select **Okta**.
4. In the **Application Registration** dropdown, select a previously created app registration. If none exists, select **Create Application Registration**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(694).png)

1. Enter a name for the app registration and add a redirect URL in the following format:

`https://system-admin.okta.com/admin/app/cpc/&lt;OktaAppID&gt;/oauth/callback`

Replace `&lt;OktaAppID&gt;` with the ID you copied in step 9 of the Okta configuration. For example: `https://system-admin.okta.com/admin/app/cpc/trial-5967756_oktascimintegration_1/oauth/callback`

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(695).png)

1. Select **Create**.
2. From the newly created app registration, copy the following values:
  - **Application (Client) ID**
  - **Client secret**

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(696).png)

1. Select **Save**.
2. Copy the following endpoint URLs from the User Provisioning page. You need them for the Okta provisioning configuration:
  - **SCIM connector base URL**
  - **Authorization Endpoint**
  - **Access token endpoint URI**

## Complete the Okta provisioning configuration

1. Return to the Okta application. On the **Provisioning** tab, go to **Integration** and select **Edit**. Enter the following values:
  - **SCIM connector base URL**: Paste the SCIM connector base URL from DocuWare.
  - **Unique identifier field for users**: Enter "userName".
  - **Supported provisioning actions**: Select **Import New Users and Profile Updates**, **Push New Users**, **Push Profile Updates**, and **Push Groups**.
  - **Authentication Mode**: Select **OAuth 2**.
  - **Authorization endpoint URI**: Paste the authorization endpoint from DocuWare.
  - **Access token endpoint URI**: Paste the access token endpoint URI from DocuWare.
  - **Client ID**: Paste the **Application (Client) ID** from DocuWare.
  - **Client Secret**: Paste the client secret from DocuWare.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(754).png)

1. Select **Save**. Then return to the **Integration** tab and select the authentication button at the bottom of the page to generate a token. Enter your DocuWare admin credentials when prompted. A confirmation message appears when the token is generated successfully.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(755).png)

1. A new **To App** section appears under the **Provisioning** tab. Under **Provisioning to App**, select **Edit** and enable **Create Users**, **Update User Attributes**, and **Deactivate Users**. Select **Save**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(756).png)

1. Scroll down to **Attribute Mappings** and select **Go to Profile Editor**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(757).png)

1. In the **Profile Editor**, select **Mappings**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(758).png)

1. Configure the following user profile mappings. Set all other mappings to **Do not map**:

After removing all unnecessary mappings, select **Save Mappings**.
  - appuser.givenName → firstName
  - appuser.familyName → lastName
  - appuser.email → email

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(759).png)

1. Switch to the **Okta User to App** tab and repeat the same mapping cleanup.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(760).png)

1. Delete all remaining attributes from the Profile Editor except **Username**, **Given name**, **Family name**, and **Primary email**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(761).png)

The provisioning configuration is now complete.

## Provision users

To provision individual users:

1. Open the Okta application and go to the **Assignments** tab.
2. Select **Assign > Assign to People** and assign the users you want to provision.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(762).png)

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(763).png)

1. Verify that the provisioned users appear in **DocuWare Configuration > User Management**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(764).png)

## Provision groups and their members

To provision an entire group including its members:

1. Open the Okta application and go to the **Assignments** tab.
2. Select **Assign > Assign to Groups** and assign the group you want to provision. All members of the group are automatically included.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(765).png)

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(766).png)

1. Go to the **Push Groups** tab. Select **Push Groups > Find groups by name**, enter the group name, keep **Push group membership immediately** selected, and choose **Create Group**.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image(767).png)

1. Verify the group and its members in DocuWare.

![](https://cdn.document360.io/0108e24e-b3e8-446c-b670-66b1d2a9e861/Images/Documentation/image-YVROC2G9.png)

## How group provisioning works

Understanding the group synchronization behavior helps you predict what happens when groups are created, renamed, or updated in Okta.

- **Group matching**: The system searches for an existing DocuWare group by display name. If a match is found, the group is updated. Otherwise, a new group is created.
- **Member retention**: When an existing group is updated, new members are added while existing members remain. Duplicate members are automatically prevented.
- **ID-based mapping after first sync**: After the initial synchronization, groups are mapped by their internal ID rather than their display name. If you rename a group in Okta, the renamed group is matched to the existing DocuWare group by ID and the name is updated accordingly. Existing members are not removed.

## Supported versions: DocuWare Cloud