ENTERPRISE

Integrating SCIM using Okta

Last updated: July 3, 2023
Read time: 4 Minutes

In this section, we'll guide you through the process of integrating SCIM with Burp Suite Enterprise Edition using Okta as your identity provider (IdP).

Prerequisites

Your users and groups are set up in Okta.
You have already created a custom app integration for Burp Suite Enterprise Edition in Okta and completed the SAML configuration.

If you want to integrate SCIM without setting up SAML, use Okta's pre-built SCIM 2.0 Test App (Header Auth) app integration from the app catalog instead. Note that in this case, some of the steps described here may vary.

Integrating SCIM using Okta involves the following steps:

Set a port for the SCIM URL and generate an API token.
Upload a TLS certificate.
Configure the connection in Okta.
Push your Okta users and groups to Burp Suite Enterprise Edition.

Set a port for the SCIM URL and generate an API token

You need to set a dedicated port for the SCIM URL that Okta uses to communicate with Burp Suite Enterprise Edition. The base URL takes the following format:

https://<host>:<port>/scim/v2

The host is usually the same domain name or IP address as in the Burp Suite Enterprise Edition web server URL. However, this may differ depending on your network infrastructure.

Log in to Burp Suite Enterprise Edition as an administrator.
From the settings menu , select Integrations.
On the SCIM tile, click Configure.
Under Configure SCIM, enter the port that you want to use for the SCIM URL. To enable you to configure separate firewall rules for this connection, use a different port than the web server URL.
Click Save & generate API token.
When prompted, copy and save the new API token somewhere secure.

Note

Okta needs the API token to authenticate itself to Burp Suite Enterprise Edition when it sends requests to the SCIM URL. If you lose your API token, you can generate a new one by clicking Regenerate API token in the upper-right corner of the SCIM settings page.

Upload a TLS certificate

Okta only supports SCIM over HTTPS. This means that you need to enable TLS by uploading a PKCS#12 certificate. Make sure that the certificate has the .p12 file extension. Certificates in .psx format are not supported.

To upload a TLS certificate:

In Burp Suite Enterprise Edition, navigate to the SCIM integration settings.
In Configure SCIM, activate Use TLS.
Click Upload certificate.
When prompted, click Choose file and select the certificate.
Enter the certificate password.
Click Save.

Configure the connection in Okta

Once you've set a SCIM URL and generated an API token in Burp Suite Enterprise Edition, configure the connection from Okta as follows:

Enable SCIM provisioning

Log in to Okta.
Go to Applications and select the app integration that you created for Burp Suite Enterprise Edition.
Go to the General tab.
In the App Settings section, click Edit.
Under Provisioning, select the Enable SCIM provisioning checkbox.
Save your changes.

Enter the connection details

In Okta, select the app integration that you created for Burp Suite Enterprise Edition.
Go to the Provisioning tab.
From the Settings menu on the left, select Integration.
In the SCIM Connection panel, click Edit.
In the SCIM connector base URL field, enter your SCIM URL in the following format:
https://<host>:<port>/scim/v2

Note

The host is usually the same domain name or IP address as in the Burp Suite Enterprise Edition web server URL, but this may differ depending on your network infrastructure. The port is the one that you configured manually in the Burp Suite Enterprise Edition SCIM settings.
In the Unique identifier field for users field, enter userName.
Under Supported provisioning actions, select only the following options:
- Push New Users.
- Push Profile Updates.
- Push Groups.
Under Authentication mode, select HTTP header.
In the Authorization field, enter the API token that you copied from Burp Suite Enterprise Edition.
To confirm that the connection is working correctly, click Test Connector Configuration.
Save your changes.

Configure the provisioning to app settings

In Okta, select the app integration that you created for Burp Suite Enterprise Edition.
Go to the Provisioning tab.
From the Settings menu on the left, select To App.
In the Provisioning To App section, click Edit.
Use the checkboxes to enable the following settings:
- Create Users.
- Update User Attributes.
- Deactivate Users.
If you're not using SAML, enable and configure the Sync Password setting.
Save your changes.

Push your Okta users and groups to Burp Suite Enterprise Edition

To push your users and groups to Burp Suite Enterprise Edition, do the following steps.

To push users:

In Okta, select the app integration that you created for Burp Suite Enterprise Edition.
Go to the Assignments tab.
Decide how to assign your users:
- To assign individual users, click Assign > Assign to People.
- To assign all users from a particular group to the application, click Assign > Assign to Groups.

Warning

Assigning groups to the app integration pushes all users belonging to that group to Burp Suite Enterprise Edition. However, it does not push the actual group. To avoid synchronization issues, we recommend that you create a separate group in Okta which you only use to bulk-assign users to Burp Suite Enterprise Edition.

To push groups:

Warning

Do not push the group you created for bulk-assigning users to Burp Suite Enterprise Edition.

In Okta, select the app integration that you created for Burp Suite Enterprise Edition.
Go to the Push Groups tab.
Click Push Groups > Find Group By Name and select the relevant group.

You may need to wait a short while for the users or groups to become available in Burp Suite Enterprise Edition. Any changes you make in Okta sync automatically. Note that users do not have access to any functionality unless you assign them to a group with the relevant roles in Burp Suite Enterprise Edition.