Features
Torii Supports the following features:
- Create Users
- Update User Attributes
- Deactivate Users
Generate Torii SCIM
- From the Settings page >> Security, enable the SCIM toggle
- Go to the API Access tab; From here, you can view and manage the Torii API keys and SCIM
-
Click on Generate API Key to generate a new SCIM
- Choose type: Torii SCIM.
-
Set an Expiration date: For security purposes, we recommend setting an expiration date when generating a new key.
- The key will become invalid on the chosen expiration date.
- Torii will send an email reminder a month before the expiration date reminding you to generate
a new Key. - Add a Description.
- Copy the key at this point. After this step, the full key will become unavailable.
- Click Got it
- The new key has been added; read about key rotation to learn about replacing the SCIM once it expires.
________________________________________________________________________________________
Okta configuration
- In okta, go to Applications >> Browse App Catalog
- Search & select Torii
- Click on Add Integration
- Click on Done
- Click on Configure API Integration
- Check the Enable API Integrations box, Enter the token and click on Save.
- Configure the "User type." Go to the Provisioning tab, scroll down to User type and click on Edit.
- Select the user type, either okta default or a custom field.
- Scroll back up to configure the provisioning, click on the Edit button
- Check the "Create Users, Update User Attributes and Deactivate user" credentials and click Save.
- Go to Sign on, and click on Edit.
- Select "Email" in the Application username format and click Save.
- Enter the Organization ID and click Save.
API/SCIM Key Rotation
Token expiration can not be changed after its creation.
The recommended way to rotate the key is to:
-
- Generate a new API / SCIM key
- Find and replace the old with the API in your system
- Delete the old API
Troubleshooting & Tips
- userName(email) cannot be updated.
- Users with the Employee role don’t appear on the Members page.
- If userType is not sent in the request, the user will get the Employee role as the default.
- userType must be a valid role name. You can use pre-defined or custom roles.