SCIM provisioning setup for Cloudinary with IdP (Okta)

Last updated: Dec-12-2024

Overview

This guide provides a step-by-step walkthrough for configuring SCIM (System for Cross-domain Identity Management) provisioning to integrate your Identity Provider (IdP), such as Okta, with Cloudinary. SCIM provisioning automates user and group synchronization, ensuring that any changes in your IdP are reflected in Cloudinary without manual updates. This integration reduces administrative overhead and supports secure, consistent user and group management, particularly for organizations with large or frequently updated user bases.

Tip
This integration is certified to work with Okta. While this guide focuses on the Cloudinary SCIM integration within Okta, other IdPs may also be compatible.

Note
This feature is for Enterprise customers only. Contact our Enterprise support and sales team for more information.

1. Prerequisites

Ensure you have access to the following:

  • Admin access to Okta.
  • Client ID and Client Secret for secure integration, which you can obtain from your Customer Success Manager (CSM).

Important
We strongly recommend creating a designated service account under the Cloudinary console and logging in as that user to do the setup. This ensures the SCIM integration is not tied to an individual user. If a user who has already been set up with the SCIM integration is offboarded and deactivated in Okta, it would break the SCIM integration and revoke the token associated with them. Logging in as a different user after the setup has started could also interfere with the process and cause issues.

2. Create a custom app

Follow these steps to create a custom app in Okta:

  1. Create a new SAML 2.0 Web application (e.g., in the Okta Admin console, select Applications from the Applications menu, click Create App Integration, and select SAML 2.0 as the Sign-in method).

    SCIM

  2. Give your app a name (e.g., Cloudinary Okta SCIM - My Org), and then optionally select a logo and visibility options (you can download a Cloudinary logo from our Cloudinary logo kit).

    SCIM

  3. Configure SAML settings as follows:
    1. Enter https://console.cloudinary.com/saml/consume as the Single sign on URL for both the Recipient URL and the Destination URL.
    2. Enter https://console.cloudinary.com/saml as the Audience URI.
    3. Select EmailAddress as the Name ID format.

      SCIM
    4. Click Show Advanced Settings, then add cloudinary.com/saml/consume under Other Requestable SSO URLs.

      SAML
    5. Click Next at the bottom of the page.
  4. Optionally add Feedback and click Finish when done.

3. Initial configuration steps

Access provisioning settings

  1. In Okta, go to Applications > Applications in the left-hand menu.
  2. In the main panel, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
  3. Select the General tab for the Cloudinary application.
  4. Under App Settings, select SCIM as the Provisioning scheme and Save.

SCIM Provisioning - App Settings

Set SCIM base URL, feature settings, and authentication

  1. In Okta, select the Provisioning tab for the Cloudinary application and select Integration from the left-hand menu.

    SCIM Connection

  2. Set the SCIM connector base URL to https://cloudinary.com/scim/v2.
  3. Set the Unique identifier field for users as userName (case-sensitive).
  4. Enable SCIM features by selecting the checkboxes under Supported provisioning actions:
    • Choose Push New Users, Push Profile Updates, and Push Groups (optional but recommended for group synchronization), along with any additional actions that suit your organization's needs.
  5. Choose OAuth 2 as the Authentication Mode.
    • Set the Access token endpoint URI to https://oauth.cloudinary.com/oauth2/token.
    • Set the Authorization endpoint URI to https://oauth.cloudinary.com/oauth2/auth?scope=openid offline provision:scim.
    • Enter the Client ID and Client Secret provided by your CSM, and click Save.

      Authorization

  6. Register your variable name:
    1. Go to Directory > Profile Editor in the left-hand menu.
    2. In the main panel, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
    3. Copy the Variable name and send it to your Customer Support Manager for Cloudinary internal configuration.

      Variable name

  7. Authenticate the app:
    1. Go to Applications > Applications in the left-hand menu.
    2. In the main panel, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
    3. Select the Provisioning tab, and from the Settings menu in the main panel, select Integration.
    4. Scroll down and click Authenticate with Cloudinary Okta SCIM - My Org (or your Cloudinary application name) and follow the authentication process.

      Re-authenticate

    5. The following screen will open in a browser window. Click ACCEPT ACCESS.

      Auth

Configure Cloudinary application custom attributes

Set up the product_environments and role custom attributes for users in your Cloudinary application. Manually add these fields in the Profile Editor.

Note
Setting up the product_environments attribute is optional. If this attribute is not set, users will have access to all product environments.
  1. In Okta, go to Directory > Profile Editor in the left-hand menu.

  2. From the Users tab, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).

  3. Click + Add Attribute and set up the product_environments attribute with the following:

    • Data type: string array
    • Display name: Product environments (or any display name that's clear to you)
    • Variable name: product_environments (or any variable name that's clear to you. The Cloudinary variable name will be automatically added as a prefix.)
    • External name: product_environments (copy this exactly)
    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    • Description: Cloud names for user's allowed product environments (or any description that's clear to you)
    • Select Define enumerated list of values
    • Attribute members: For the Values, enter the cloud names of all the product environments in your account
    • Select Attribute required
    • Attribute type: Group (optional)
      Note
      Setting this to Group allows the value to be inherited from the Okta group to all its users. See Enable group inheritance for Cloudinary custom attributes.
    • Click Save and Add Another

      Add product_environment custom attribute

  4. Set up the role attribute with the following:

    • Data type: string
    • Display name: User role (or any display name that's clear to you)
    • Variable name: role (or any variable name that's clear to you. The Cloudinary variable name will be automatically added as a prefix.)
    • External name: role
    • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    • Description: User's Cloudinary role (or any description that's clear to you)
    • Select Define enumerated list of values
    • Attribute members: Enter all the Cloudinary user roles as values, with display names that make sense to you:
      • master_admin, admin, technical_admin, billing, reports, media_library_admin, media_library_user
        Tip
        To find out what permissions are granted for each role, see Role based permissions.
    • Select Attribute required
    • Attribute type: Group (optional)
      Note
      Setting this to Group allows the value to be inherited from the Okta group to all its users. See Enable group inheritance for Cloudinary custom attributes.
    • Click Save

      Add role custom attribute

Enable provisioning

Enable provisioning in terms of user creation, upadate user attributes, and deactivate user to Cloudinary from Okta.

  1. In Okta, go to Applications > Applications in the left-hand menu.
  2. In the main panel, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
  3. Select the Provisioning tab, and from the Settings menu in the main panel, select To App.
  4. Enable Create Users, Update user Attributes, and Deactivate Users.

Add role custom attribute

Optional configurations

Set Cloudinary custom attributes during Okta user creation

To allow setting a user’s permitted product environments and Cloudinary role during Okta user creation, configure these as default user attributes in Okta. Next, map the Cloudinary app custom attributes to these Okta attributes. Otherwise, you’ll need to manually enter these values when assigning users to Cloudinary.

To configure the product_environment and cld_role Okta User (default) attributes:

  1. Select Directory > Profile Editor from the left-hand menu.
  2. Select Okta User (default) from the Users tab.
  3. Click + Add attribute and set up the product_environments attribute with the following:
    • Data type: string array
    • Display name: Product environments (or any display name that's clear to you)
    • Variable name: product_environments (copy this exactly)
    • Description: Cloud names for user's allowed product environments (or any display name that's clear to you)
    • Select Define enumerated list of values
    • Attribute members: For the Values, enter the cloud names of all the product environments in your account.
    • Select Attribute required
    • User permission: Select Read-Write
    • Click Save and Add Another

      Add custom attribute

  4. Set up the cld_role attribute with the following:
    • Data type: string
    • Display name: Cloudinary role (or any display name that's clear to you)
    • Variable name: cld_role (copy this exactly)
    • Description: User's Cloudinary role (or any display name that's clear to you)
    • Select Define enumerated list of values
    • Attribute members: Enter all the Cloudinary user roles as values, with display names that make sense to you:
      • master_admin, admin, technical_admin, billing, reports, media_library_admin, media_library_user
        Tip
        To find out what permissions are granted for each role, see Role based permissions.
    • Select Attribute required
    • User permission: Select Read-Write
    • Click Save

To map the product_environment and role Cloudinary user custom attributes to your Okta user default attributes:

  1. Click Back to profiles, or select Directory > Profile Editor from the left-hand menu.
  2. From the Users tab, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).

    Map custom attributes

  3. Click Mappings, and then select Okta User to Cloudinary Okta SCIM - My Org.
  4. Scroll down to find your custom attributes.
  5. Enter the mapping in the textbox to the left of each attribute:
    • For the product_environments field, enter user.product_environments
    • For the role field, enter user.cld_role

      Mapping custom attributes

Enable group inheritance for Cloudinary custom attributes

If you want the Cloudinary application user roles and allowed product environments to be inherited from the Okta group they belong to, you'll need to configure the product_environments and cld_role custom attributes for groups. Otherwise, you’ll need to manually set these values when assigning users to Cloudinary.

  1. Select Directory > Profile Editor from the left-hand menu.
  2. Select the Groups tab and select Okta group.
  3. Click + Add attribute and set up the product_environment attribute with the following:
    • Data type: string array
    • Display name: Product environments (or any display name that's clear to you)
    • Variable name: product_environments (copy this exactly)
    • Description: Allowed product environments for all users in the group (or any description that's clear to you)
    • Select Define enumerated list of values.
    • Attribute members: For the Values, enter the cloud names of all the product environments in your account.
    • Select Attribute required

      Add group attribute

  4. Make sure that the User role Cloudinary custom attribute for any specific user inherits the prioritized group value, and that the Product environments custom attribute inherits a combined list of product environments from all assigned groups:
    1. Click Back to profiles or click Directory > Profile Editor from the left-hand menu.
    2. From the Users tab, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
    3. Scroll down to the Role Cloudinary custom attribute and click the pencil icon to edit it.
    4. Make sure Use Group Priority is selected.

      Use Group Priority

    5. Click Save Attribute.
    6. Scroll down to the Product environments Cloudinary custom attribute and click the pencil icon to edit it.
    7. Make sure Combine values across groups is selected and Save Attribute.

4. User and group synchronization

Here's an overview of all the available actions you can perform to initiate user and group syncing. For implementation instructions, click the link for each action, or scroll down:

  • Assign users from Okta to Cloudinary to establish a link, ensuring any changes in Okta automatically sync to Cloudinary. You can assign multiple users at a time by assigning all users in an Okta group to Cloudinary.

  • Push Okta groups to Cloudinary to copy the group structure and establish a link, ensuring that any changes to the groups in Okta automatically sync to Cloudinary.

    You can also manage links for groups that have existing links to Cloudinary.

  • Import users from Cloudinary to Okta to:

    • Create and link Cloudinary users in Okta. Once linked, any changes to these users in Okta sync automatically to Cloudinary.
      Important
      There's no automatic sync between changes to users in Cloudinary to users in Okta.
    • Sync user updates from Cloudinary to Okta.
    • Manually import new Cloudinary users to Okta.
  • Set up periodic automatic syncing to regularly bring new Cloudinary users into Okta and sync any updates made to existing users in Cloudinary.

Tip
To make sure you're in the right location for accessing these actions:
  1. Select Applications > Applications in the left-hand menu.
  2. In the main panel, select Cloudinary Okta SCIM - My Org User (or your Cloudinary application name).
  3. Select the tab as described for each action.

Assign users from Okta to Cloudinary

Assigning users from Okta to Cloudinary establishes a link between them. Any subsequent changes to linked users in Okta will automatically sync to Cloudinary.

To assign users from Okta to Cloudinary:

  1. In Okta, select the Assignments tab for the Cloudinary application.
  2. Click Assign and select Assign to People.

    Assign users from Okta to Cloudinary

  3. From the popup, click Assign next to the user you want to sync to Cloudinary.
  4. Fill in the form with all the fields for that user and save. Fields relevant in Okta but not applicable in Cloudinary will be ignored.
    • If you set up the optional configurations, the Product environments attribute (with external ID product_environments) and User role attribute (with external ID role) will contain the corresponding value of the Okta user or group.
    • If you didn't set up the optional configurations, you'll need to fill in values for those attributes now.
  5. Repeat steps 3-4 for all the users you want to sync.

Important
Make sure the and role and optionally the product_environments fields are configured.

Assign all users in an Okta group

You can assign all the users in an Okta group to Cloudinary. This action establishes a link and syncing for multiple users at a time.

To assign all users in an Okta group to Cloudinary:

  1. In Okta, select the Assignments tab for the Cloudinary application.
  2. Click Assign and select Assign to Groups.
  3. Click Assign next to the group you want to sync to Cloudinary and Save.

Push Okta groups to Cloudinary

Pushing groups from Okta to Cloudinary creates corresponding groups in Cloudinary and establishes links between them. All users in the Okta group who have already been assigned to Cloudinary will populate the Cloudinary group. Any unassigned users will be ignored during the push action.

To push Okta groups to Cloudinary:

  1. In Okta, select the Push Groups tab for the Cloudinary application.
  2. Click the Push Groups drop down button and select Find groups by name to search for a group that exists in Okta. For example, search for a group by name (e.g., "DEV team") in Okta.
  3. Select the group you want to link.

    Push groups

  4. In the bottom right corner, if No match found, select Create group to create and link a corresponding group in Cloudinary and save. Otherwise, select Link group and select the group in Cloudinary you want to link to.

Manage linked groups

You can manage groups already linked between Okta and Cloudinary in the following ways:

  • Deactivating group push: Stops syncing new group memberships (users) from Okta without impacting existing users in the group.
  • Removing links from pushed group: Stops syncing memberships (users) and optionally removes the group from Cloudinary.
  • Push now: Manually syncs the group’s current (users) to Cloudinary.

To manage Okta groups that are already linked to Cloudinary:

  1. In Okta, select the Push Groups tab for the Cloudinary application. The list of groups already linked between Okta and Cloudinary will be displayed.

    Manage linked groups

  2. To change Push Status for a particular group, click the drop down in that column for the group you'd like to change, and select an action.

Import users from Cloudinary to Okta

Importing users from Cloudinary does the following:

  • Creates and links Cloudinary users in Okta. Once linked, any changes to these users in Okta sync automatically to Cloudinary. Note that there's no automatic sync for changes made to users in Cloudinary back to Okta.
  • Syncs user updates from Cloudinary to Okta.
  • Allows you to import new Cloudinary users to Okta.

To import users from Cloudinary to Okta:

  1. In Okta, select the Import tab for the Cloudinary application to access the Cloudinary account.
  2. Click Import Now to display users from Cloudinary that are not yet in Okta.
  3. Select the user(s) to import by checking their box on the right panel.
  4. Click Confirm Assignments.

    Import users from Cloudinary

  5. Click Confirm in the dialog box.

    Confirm import

Sync users periodically from Cloudinary to Okta

You can schedule regular imports of new users created in Cloudinary and sync any changes made to linked users in Cloudinary with Okta.

To sync users periodically from Cloudinary to Okta:

  1. In Okta, select the Provisioning tab for the Cloudinary application.
  2. Select To Okta from the left-hand menu.
  3. Select a time interval from Schedule import and save. If you want to import manually, select Never.

    Setting up periodic sync from Cloudinary to Okta

5. Testing and finalization

  • Provisioning test: Confirm that your Oka users are synchronizing correctly with Cloudinary.

  • Group push verification: Confirm the groups you pushed are synchronized correctly with Cloudinary.

  • Field validation: Confirm custom attributes, such as product_environments and role, are mapped and transferred correctly.

✔️ Feedback sent!

Rate this page: