--- title: Automating user management (IdP) summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/account-info/automating-user-management-idp --- > **IMPORTANT:** > > This guide only applies to Next-Gen WAF customers with access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). > > If you manage accounts through the Fastly control panel, check out our [alternative user management automation](https://www.fastly.com/documentation/guides/account-info/user-and-account-management/automating-user-management/) instructions instead. This guide describes how to automate the management of your account users when Okta serves as your identity provider (IdP). An IdP like Okta centralizes user identity management by storing and controlling digital identities. This includes: - maintaining user attributes such as usernames, roles, and authentication credentials - verifying identities through authentication methods like passwords, multi-factor authentication (MFA), or single sign-on (SSO) - enforcing access policies based on roles and permissions Integrating Okta with your account enables you to automate user lifecycle management, allowing the IdP to handle account creation, updates, and deactivation while supporting security policies and compliance requirements. Provisioning users through Okta also ensures that [access and permission levels](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/using-user-roles-and-permissions/) remain synchronized with your sites (also known as workspaces), automatically reflecting changes made in the IdP. > **NOTE:** Okta uses the System for Cross-domain Identity Management (SCIM) protocol, an industry-standard specification, to automate the provisioning and synchronization of user accounts across integrated applications and directories. [Learn more about SCIM](https://developer.okta.com/docs/concepts/scim/) in Okta's developer documentation. ## Limitations and considerations When using Okta as your IdP, keep the following things in mind: - A user that is provisioned by Okta can only be modified or deleted inside of Okta. - The Next-Gen WAF only accepts email addresses with letters that are lowercase. Email addresses with uppercase letters will result in erroneous behavior. - If an existing user has the same email address as a user being provisioned within Okta, the accounts will be consolidated. Users won’t have to be re-provisioned upon setup, but the new group assignments will override existing role and permissions. ## Prerequisites Before configuring the IdP, complete the following prerequisites: - In Okta, [create an integration with Next-Gen WAF](https://www.okta.com/integrations/signal-sciences/) if you do not already have one. Follow the instructions listed in the Okta application, which provides specific configuration information. - In your Next-Gen WAF account, [enable single sign-on](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/setting-up-single-sign-on-sso/) to use Okta as your SSO provider. - Using our API, [create an API Access Token in the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf/) and store it in a secure location for use later in this guide. ## Configuring and enabling the IdP To configure automated user management through Okta, follow these steps. ### Enter configuration information On the **Provisioning** tab of the Signal Sciences Okta application, enable provisioning by entering the following information: - **SCIM connector base URL:** Enter `https://dashboard.signalsciences.net/api/v0/corps//scim/v2` where `` is the “name” of your Corp. - Your `` is present in the address of your Next-Gen WAF control panel, such as `https://dashboard.signalsciences.net/corps//overview`. - Your `` can also be retrieved from the [List Corps API endpoint](https://www.fastly.com/documentation/signalsciences/api/#_corps_get). - **Unique identifier field for users:** Select **Email**. - **Supported provisioning actions:** Select **Push New Users** and **Push Profile Updates**. - **Authentication Mode:** Select **HTTP Header**. - **Authorization:** Generate a Bearer Token from the API Access Token you generated earlier. The Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated. - An example command for creating a **Bearer Token** in bash: ```term copy $ echo -n "user@example.com:c9e4bbc5-a5c4-19d3-b31f-691d8b2139fe" | base64 ``` - An example command for creating a **Bearer Token** in JavaScript: ```js btoa(":") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu" ``` ### Test configuration Confirm your connection was configured correctly by clicking **Test Connector Configuration**. If everything is configured correctly, you will see "Signal Sciences was verified successfully!": Click **Save** to save this configuration and proceed. ### Enable provisioning features After the settings are saved, select **Enable** for the following under **Provisioning to App**: - Create Users - Update User Attributes - Deactivate Users Click **Save** to save these settings and proceed. After enabling provisioning, you may see a message that unmapped attributes exist on the application. This will not prevent provisioning; however, if you wish to map Next-Gen WAF attributes to your base Okta user profile, you may do so by mapping the following attributes: - `userType` should be mapped onto a string attribute that will represent the user's `role`. The value of this must be a valid `role`: `owner`, `admin`, `user`, or `observer`. - `entitlements` should be mapped onto a string array attribute that will represent the user's `sites`. This should be set to a string array representing the shortnames of sites (workspaces) the user should have access to, such as `www.example.com`. ### Assigning a group or user to the application The following instructions apply to assigning groups, though users will follow a nearly identical process. 1. In the Signal Sciences Okta application, click **Assignments**. 2. From the **Assign** menu, select **Assign to Groups**. 3. Select a group of users to provision. A window appears requesting additional attributes. 4. Select the **Role** for the assigned group. This can be one of **owner**, **admin**, **user**, or **observer**. 5. Click **Add Another** to add a site. This is the “short name” of the site that [appears in your Site settings](https://www.fastly.com/documentation/guides/next-gen-waf/managing-sites#editing-sites-workspaces). 6. Click **Save and Go Back**. ## Managing users with the IdP User management includes both updates to attributes and user deletion. ### Updating users Updates to the group and user attributes will be synchronized, including: - The user’s real name - The user’s assigned role - The user’s assigned sites (workspaces) Next-Gen WAF does not support updating the user’s email address, as it is the primary identifier for the user. ### Deleting users Next-Gen WAF users are removed via provisioning in a few ways: - Remove the user from a group assigned to the Next-Gen WAF application - Directly remove the user from the Next-Gen WAF application if they are directly assigned - Deactivating the user in Okta The user will be re-created if the user is reactivated or re-assigned to the Signal Sciences Okta application. ## Troubleshooting SCIM Provisioning was added to the Okta application in December 2020. If you have a Signal Sciences application in Okta that was created before December 2020, you may need to create a new Signal Sciences application in Okta in order to use SCIM provisioning. If you have questions or difficulties with the Okta integration, reach out to our [Support team](https://support.fastly.com) for assistance. ## Related content - [Setting up single sign-on (SSO)](https://www.fastly.com/documentation/guides/next-gen-waf/account-info/setting-up-single-sign-on-sso) - [API access tokens](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf#creating-api-access-tokens)