Managing Users and Readers with SCIM in Okta

  • Updated on Mar 28, 2026
  • 6 minute(s) read
Prev Next

Plans supporting this feature:Enterprise

SCIM integration with Okta allows administrators to manage Document360 users and groups directly from Okta in an automated and centrally controlled manner.

When a new user is added in Okta, their Document360 account is provisioned automatically. Any updates to their role or group membership are synced in real time, and when a user is deactivated or removed in Okta, the same is reflected in Document360 without any manual intervention. This eliminates the need for separate account management in Document360 and ensures that user data remains accurate and up to date across both platforms.

Managing Document360 using Okta

Assign User attribute mapping

  1. In the Okta Admin Console, expand the Applications dropdown and select Applications.

  2. Select the application you want to configure and navigate to the Provisioning tab.

  3. Scroll down to Attribute Mappings and click Go to Profile Editor.

  4. Under the Attributes section, click Add Attribute and fill in the details as specified in the table below.

Add Attribute

Value

Data type

boolean

Display name

User

Variable name

isUser

External name

isUser

External namespace

urn:ietf:params:scim:schemas:extension:document360:2.0:User

  1. Once done, click Save.

Adding a user attribute in Okta's Admin Console with various fields highlighted.

Provision Okta to Document360

To link user creation, changes and deactivating in Okta with Document360,

  1. In the left navigation bar, expand Applications dropdown and click Applications.

  2. Select your SCIM application and navigate to Provisioning tab.

  3. Click Edit under Provisioning to App and select the following checkboxes:

    1. Create Users

    2. Update User Attributes

    3. Deactivate Users

Okta Admin Console showing provisioning settings for user management and application integration.

Create a Reader

To add a new reader in Document360 using Okta with SCIM, follow the steps below.

  1. In the Okta Admin Console, expand the Directory dropdown and select People.

  2. On the People page, click Add Person, fill in the required reader details, and click Save. This confirms that the reader has been successfully added to the Identity Provider (Okta).

Okta Admin Console displaying user directory with options to add or reset passwords.

  1. To integrate the user with Document360, select the newly created reader and click Assign Applications.

  2. In the Assign Application dialog, select the project you want to assign the reader to, then click Assign > Save and Go Back > Done.

 NOTE

If the isUser attribute is left unset, it defaults to undefined. The person will be assigned the Reader role by default.

  1. The newly created reader will be automatically synced with Document360. To verify this, go to Document360 and navigate to Settings > Users & permissions > Readers & groups.

User management interface displaying reader accounts and their access statuses.

The reader will be added with the default content access that were applied during SSO setup.

Create a User

  1. In the Okta Admin Console, expand the Directory dropdown and select People.

  2. Click Add Person, fill in the required user details, and click Save.

Okta Admin Console displaying user directory with options to add or reset passwords.

  1. Select the newly created user and click Assign Applications to link them to an application.

  2. Choose the application you want to assign, which will redirect you to the application details page.

  3. Scroll down to the isUser attribute and select True from the dropdown.

 NOTE

If the isUser attribute is left unset, it defaults to undefined. The person will be assigned the Reader role by default.

  1. To verify, go to Document360 and navigate to Settings > Users & permissions > Users & groups. The newly created user should appear in the list.

 NOTE

The number of users that can be added to Document360 via Okta is limited based on the subscription plan.

Create group in Okta

To create a group in Okta,

  1. In the Okta Admin Console, expand the Directory dropdown and select Groups.

  2. Click Add Group, enter the desired group name, and click Save.

Okta Admin Console displaying group management options and user statistics.

Assign application to group

To assign the group to an application,

  1. Expand the Applications dropdown and select Applications.

  2. Select the desired application, navigate to the Assignments tab, and click Assign > Assign to Groups.

  3. Click Assign next to the created group, then click Save to complete the assignment.

Push groups

Unlike users, groups are not automatically synced to Document360 and must be pushed manually. To do that,

  1. After assigning the group to the application, navigate to the Push Groups tab and click Push Groups.

  2. Select Find groups by name and enter the group name.

  3. Select the group from the results and click Save to successfully push the group to Document360.

  1. To verify, navigate to Document360 > Settings > Users & permissions > Readers & groups > Reader groups.

User permissions management interface showing reader groups and access settings.

The newly created reader group should appear in your portal

Add User/Reader to Group

Once you have created a group, follow the steps below to add readers to the group.

  1. In the Okta Admin Console, expand the Directory dropdown and select People.

  2. Navigate to the Groups tab, search for the group you want to add the user/reader to in the Groups field, and select it.

Okta Admin Console showing user details and group management options for Jane Doe.

  1. The user/reader will be successfully added to the selected group.

  2. To confirm, navigate to Document360 and select the relevant user/reader group. The added reader should appear within the group.

    User permissions interface showing associated reader accounts and content access details.

 NOTE

If a group contains both users and readers, it will appear under both the user groups and reader groups in Document360.

Managing User, Readers and Groups in Document360

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through Okta to keep both platforms in sync. You can only manage the content access from Document360.

Overview of reader management settings and user details in Document360 interface.

The SSO-SCIM badge depicts whether the user has SCIM enabled or not.

Manage content access of Readers, Users and Groups

The default content role assigned to any new user, reader, or group is based on what was configured during SCIM provisioning setup. Permissions will be set to None by default but can be updated at any time.

  1. To manage content access, select the desired reader and click Manage Content Access.

  2. Choose the desired access level from the dropdown and click Update.

Deactivate Users/Readers

To deactivate users or readers from Okta,

  1. Expand Directory dropdown, and select People.

  2. Select the user you want to deactivate to navigate to its user profile.

  3. Click More Actions and select Deactivate.

Admin console showing user details and options to deactivate or manage applications.

The user will be deactivated successfully. Once deactivated, the user’s status in Document360 will change from Active to Inactive.

List of readers with their statuses, highlighting one inactive account for review.

 NOTE

Deactivating a user in Okta does not remove their profile from Document360. The user will be marked as inactive and will lose the ability to sign in to Okta and access their applications. You can reactivate the account at any time, though the user will be required to reset their password upon reactivation.

Delete user/reader

To permanently remove a user/ reader profile from Okta,

  1. In Okta, click Delete in the user/reader profile.

  2. A confirmation dialog will appear, click Delete.

Confirmation dialog for deleting user Mark Jacobs with warning message displayed.

The profile will be permanently deleted from Okta.

 NOTE

Deleting a profile in Okta does not remove it from Document360, the profile will remain with an Inactive status.

Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

Child Inherited SSO configuration

On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

Configuring the Identity Provider settings for SSO in Okta Admin Dashboard.

 NOTE

Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

SCIM provisioning settings with a warning about inherited configurations from the parent project.

Parent Inherited SSO Configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

SCIM provisioning settings in Okta with project details and configuration instructions displayed.

  • If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.

  • Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.

Troubleshooting

Sync failed due to a SCIM server error.

When adding new users from Okta, this error indicates that one or more users could not be synced to Document360. This may be caused by:

  • Duplicate users provisioning

  • User limit reached based on your current subscription plan

  • Other validation or processing errors.

Click View details to see which users failed to sync.

User management interface displaying sync error and user account details.

Related articles