Enabling the Okta SCIM integration for Deel HR

System for Cross-domain Identity Management (SCIM) is one of the most widely used protocols for managing users across multiple applications.

The Okta SCIM provisioning integration enables Deel HR clients to automatically sync employee data from Deel into Okta, allowing IT teams to provision users into other applications such as Zendesk, Salesforce, and more.

This article explains how to enable the Okta SCIM integration for Deel HR.

In this article

• Before you begin
• Step 1. Set up Okta SCIM for Deel HR
• Step 2. Generate a new token for the Okta integration
• Step 3. Disconnect the Okta integration
• Frequently asked questions (FAQs)

Before you begin

To successfully enable the Okta SCIM integration for Deel HR, you’ll need:

• A user with an admin role on Deel
• A user with an admin role on Okta

Step 1. Set up Okta SCIM for Deel HR

1. On Deel go to More > Apps and search for Okta.

2. Click Connect Okta.

The first part of the integration is completed on Deel, while the second part is finalized in Okta.

3. Generate SCIM API Base URL and Organization token.

The SCIM API Base URL is the entry point to the Deel SCIM API, and the API Token is needed for authentication. You may need to manually type in :  /scim/v2  at the end of the base URL

Ensure these credentials are saved in a secure location, as they will be required when configuring Okta.

4. Follow the step-by-step guide in Okta. Once completed, return to this screen and click Connect.

To ensure a worker’s work email is used as their username in Okta, you may need to configure the username format to use appuser.userName. See the FAQs section below for details.

Step 2. Generate a new token for the Okta integration

1. Once Okta is connected, go to the Settings tab to see the SCIM API Base URL and a list of existing Deel tokens generated for Okta.

2. To generate a new API token, click New Token.

Step 3. Disconnect the Okta integration

To disconnect the integration, click the ellipsis (three dots) on the Okta integration page and select Disconnect.

Frequently asked questions (FAQs)

[ACCORDION] How can I make sure a worker’s work email is used as their username in Okta?

In Okta, clients can define how usernames are set for users provisioned via SCIM. To use the worker’s work email from Deel (sent as userName), you’ll need to configure the username format in Okta manually.

Here’s how:

1. In Okta, go to Applications and select the Deel app.

2. Click Provisioning > To Okta.

3. Under Okta username format, select Custom.

4. In the input field, enter: appuser.userName.

This ensures that the work email (sent from Deel as userName) is correctly used as the username for the Okta account.

[ACCORDION] Why is userName null in Okta?

userName field in Okta is mapped to a worker's work email in Deel HR. If the work email is not filled in, the userName in Okta will be null. Enter the worker's work email in Deel to resolve this issue.

[ACCORDION] Can I map the work email in Okta?

The Deel SCIM API, which is behind this integration, returns a worker's work email in the userName  property. Reach out to your Okta representative to obtain support on how to map this value to your desired property.