Skip to main content

Okta SCIM provisioning


This is a Kisi-built integration, maintained and supported by Kisi.

Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and add the Kisi Physical Security app in Okta.

Generate your SCIM token in Kisi

  1. Sign in to Kisi as the organization owner
  2. Under Settings click on SSO & SCIM
  3. Enable SCIM and click on Generate Token
  4. Copy the token (shown once)

Set up SCIM with Okta


Okta's SCIM implementation doesn't allow deleting of users in other applications and thus users that are removed in Okta are not removed in Kisi. We recommend doing regular audits and clean up of suspended users.

  1. Sign in to Okta and ensure you are using the classic UI interface (top-left corner)
  2. Click on Admin, select Applications, and select your Kisi Physical Security app from the list
  3. Navigate to the Provisioning tab, and click Configure API Integration
  4. Click on the Enable API Integration checkbox and enter your SCIM token (without the leading Bearer if present)
  5. Click Test API Credentials
  6. Once a success message is displayed above the Enable API Integration checkbox, click Save
  7. Navigate to the Provisioning tab, and under Settings select To App
  8. Click Edit and enable Create Users, Update User Attributes and Deactivate Users
  9. Click Save

As a last step, you need to assign users under Push Groups.

Push Okta Groups to Kisi

  1. In the Kisi Physical Security SAML app in Okta, click on Push Groups
  2. Select Find Groups by name
  3. Search for the Okta group you want to push to Kisi
  4. Under Match result & push action choose to either Create Group or Link Group

Restrict Kisi emails for managed users

If you are a Kisi partner and you manage users yourself, you may not want them to receive emails from Kisi. You can restrict this by using the sendEmails custom attribute. This attribute can only be set when the user is created in Kisi, and cannot be updated later.


Please note that the sendEmails attribute should only be used for managed users. Setting it to false will disable all Kisi emails, including the emails that are required for creating password and signing in.

  1. In the Kisi Physical Security SAML app in Okta, click on Provisioning
  2. Click Go to Profile Editor
  3. Click Add Attribute
  4. Select Data type boolean
  5. Fill in the form as follows:
    • Display name: Send Kisi emails (or what makes sense for you)
    • Variable name: sendEmails
    • External name: sendEmails
    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    • Scope: Check the box next to User personal
  6. Click Save

Now, when you assign a user to your Kisi Physical Security app in Okta, you can select whether or not they should receive emails. If you always want the same value for all of your users, follow the steps below.

  1. In the Kisi Physical Security SAML app in Okta, click on Provisioning
  2. If the sendEmails attribute is not already shown in the list, scroll down and click on Show Unmapped Attributes
  3. Click on the pencil icon for the sendEmails attribute
  4. Select Same value for all users in the Attribute value dropdown
  5. Select the value you want applied to all users in the second dropdown
  6. Make sure Apply on is set to Create
  7. Click Save