How can we help?

Torii's SCIM Setup with Okta

Noga Tubi
Noga Tubi
  • Updated


Torii Supports the following features:

  • Create Users
  • Update User Attributes
  • Deactivate Users

Generate Torii SCIM

  1. From the Settings page >> Security, enable the SCIM toggle 
  2. Go to the API Access tab; From here, you can view and manage the Torii API keys and SCIM 
  3. Click on Generate API Key to generate a new SCIM 

  4. Choose type: Torii SCIM.
  5. Set an Expiration date: For security purposes, we recommend setting an expiration date when generating a new key.

    - The key will become invalid on the chosen expiration date.
    - Torii will send an email reminder a month before the expiration date reminding you to generate
       a new Key.

  6. Add a Description.
  7. Copy the key at this point. After this step, the full key will become unavailable.
  8. Click Got it
  9. The new key has been added; read about key rotation to learn about replacing the SCIM once it expires.


Okta configuration

  1. In okta, go to Applications >> Browse App Catalog
  2. Search & select Torii
  3. Click on Add Integration
  4. Click on Done
  5. Click on Configure API Integration
  6. Check the Enable API Integrations box, Enter the token and click on Save.
  7. Configure the "User type." Go to the Provisioning tab, scroll down to User type and click on Edit.
  8. Select the user type, either okta default or a custom field.
  9. Scroll back up to configure the provisioning, click on the Edit button
  10. Check the "Create Users, Update User Attributes and Deactivate user" credentials and click Save.
  11. Go to Sign on, and click on Edit.
  12. Select "Email" in the Application username format and click Save.
  13. Enter the Organization ID and click Save.

API/SCIM Key Rotation

Token expiration can not be changed after its creation.

The recommended way to rotate the key is to:

    • Generate a new API / SCIM key
    • Find and replace the old with the API in your system
    • Delete the old API

Troubleshooting & Tips

  • userName(email) cannot be updated.
  • Users with the Employee role don’t appear on the Members page.
  • If userType is not sent in the request, the user will get the Employee role as the default.
  • userType must be a valid role name. You can use pre-defined or custom roles.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request