Users on Okta can be synchronized with users on cybozu.com by using Okta's User Provisioning feature.
This article guides on how to use Okta's Provisioning feature to sync Okta users with cybozu.com.

• User data and related services that are set up on Okta can be synced with cybozu.com.
  For example, if a new user is added into Okta, a new user can be automatically added into cybozu.com that can access kintone and Garoon.
• The User Provisioning Feature can be used with the following actions
  • Adding a User
  • Updating User Information
  • Deactivating a User
  • Editing a User's Services
• User data that can be synced are the following:
  • Login name
  • Display name
  • Surname
  • Given name
  • Email address
  • Status
• Users that are already added into cybozu.com can also use the Provisioning feature

• SAML Authentication must be implemented before setting up User Provisioning.
  • Refer to the following article to set up SAML through Okta
    • Authenticate Okta and cybozu.com via SAML (Japanese docs only)
  • Refer to the following important points when setting up SAML
    • Areas Affected by This Restriction
    • User API Overview (Setting up SAML) (Japanese docs only)
• The following permissions are needed when using the Provisioning feature
  • cybozu.com: Configuring Users & System Administrators
  • Okta: One of the following Administrator permissions
    • "Organization Administrator" and "Application Administrator"
    • "Super Admin"

• Departments, Job Titles and Groups (Roles) cannot be synced.
• If a user is deleted from cybozu.com after syncing, the user will not be recreated on cybozu.com after another sync.In order to recreate a user on cybozu.com, first disable "Propagate Provisioning" via the settings page once, then reactivate "Propagate Provisioning" before attempting to synchronize user data.
• Log in names of synced users cannot be updated.
  To update their log in names, the user needs to be deleted from cybozu.com, before recreating the user on Okta, and resyncing the user data.

For other limitations, refer to the cybozu.com Help site .

• Before following this article to set up the cybozu.com settings on a production environment, it is best practice to set them up and test them on a cybozu.com testing environment.
  To apply for a Free Trial environment, refer to the following link.
  • How can I apply for a free trial? (Japanese docs only)
• If there is a need to restrict access to cybozu.com via IP addresses, consider setting up the restrictions on Okta. It is not recommended to place Okta's IP addresses on the cybozu.com settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.

The set up flow to use Okta's provisioning feature is as follows:

• STEP1：Set up for cybozu.com
  • Activate the User Provisioning feature, and generate an API Token.
• STEP2：Set up for Okta
  1. Add the cybozu.com Application
  2. Configure the API Integration Settings for cybozu.com
  3. Delete Redundant Services from the Attributes List
  4. Assign Users and Start the Provisioning
     Users, or Groups can be synchronized.

1. Access your cybozu.com environment. This should be in the format of https://{sample}.cybozu.com/.
   Subdomains differ for each customer. If you do not know your cybozu.com subdomain, refer to the following help page: Checking Subscription Details

2. Log in with a user with Users & System Administrators permissions.

3. Click on [cybozu.com Administration].

4. Click on [Provisioning].
   

   

5. Click on "Create API Token".
   

   

6. Set up the "Expiration date" and "Enter notes for this API token." fields, and click on [Create].
   

   

7. Note down the created API Token and SCIM Endpoint.
   There is no way to recheck the value of the API token after closing the dialog.
   

   

8. Click on [Close].

9. Set the "Propagate Provisioning" settings to "Enabled"
   

   

1. Add the cybozu.com Application

1. Access your Okta environment. This should be in the format of https://{subdomain}.okta.com/.

2. Log in with a user with Administrator permissions.

3. Navigate to the side menu and click on [Applications].
   

   

4. Click on [Browse App Catalog].
   

   

5. Use the search box to search for "cybozu", and select [Cybozu (cybozu.com)].
   

   

6. Click on [Add].
   

   

7. In the "Domain Name" field, enter the subdomain name of the cybozu.com envrionment that will be synced.
   For example, if the cybozu.com URL is https://example.cybozu.com/ , enter "example" into the field.
   

   

8. Click on [Done].
   

   

2. Configure the API Integration Settings for cybozu.com

1. Click on [Provisioning].
   

   

2. Click on [Configure API Integration].
   

   

3. Set the following settings:

   • Enable API integration: Check the checkbox
   • API Token: Enter the API Token obtained in STEP1

   

4. Click on [Test API Credentials].

   If the test connection fails and error messages are displayed, refer to the Troubleshooting section.
   Example error message:

   1	Error authenticating: Forbidden. Errors reported by remote server: Invalid JSON: Unexpected character

   

5. If a successful message is displayed, click on [Save].
   

   

6. Navigate to [Provisioning to App] and click on [Edit].
   

   

7. Enable the following options:

   • Create Users
   • Update User Attributes
   • Deactivate Users

   

8. Click on [Save].
   

   

3. Delete Redundant Services from the Attributes List

This step accesses the Attributes list to delete cybozu.com services that you do not have licenses for. If you accidently delete services that you have licenses for, stop the set up, and follow the Turn off the Provisioning Feature and Restart the Provisioning Feature sections.

1. Navigate to [Cybozu (cybozu.com) Attribute Mappings] and click on [Go to Profile Editor].
   

   

2. Check the list of services displayed in the [Attributes] list. Delete all services that you do not have licenses for. To delete the services, click on the next to the service name.
   

   

   Click on [Delete Attribute] in the pop up dialog to confirm the deletion.
   

   

4. Assign Users and Start the Provisioning

To sync per user

1. Navigate to the [Assignments] tab.
   

   

2. Click on [Assign] and select [Assign to People].
   

   

3. Navigate to the user that is to be synced, and click on [Assign].
   

   

4. Enter the cybozu.com log in name for that user.

   • The Setting Initial Values for Login Names section introduces what login name will be initially set for the user.
   • Login names cannot be changed afterwards. To change the login name, the user will need to be recreated on Okta and resynced.

   

5. Select the services that the user will use by setting the values to [Enable].
   

   

6. Click on [Save and Go Back].
   

   

7. After finishing the settings for all users that will be synced, click on [Done].
   

   

To sync per group

The Setting Initial Values for Log in Names section introduces what log in names will be initially set for users in groups. Log in names cannot be changed afterwards.

1. Navigate to the [Assignments] tag.
   

   

2. Click on [Assign] and select [Assign to Groups].
   

   

3. Navigate to the group that is to be synced, and click on [Assign].
   

   

4. Select the services that the users in the group will use by setting the values to [Enable].
   

   

5. Click on [Save and Go Back].
   

   

6. After finishing the settings for all groups that will be synced, click on [Done].
   

   

1. Navigate to the [Sign On] tab.
   

   

2. Under [Settings], click on [Edit].
   

   

3. Set up the initial value format for usernames in the [Application username format] settings.
   

   

   The following options can be set.

   • Custom: A custom format. For more details, refer to the Okta Expression Language overview article.
   • Email: An Email address format.
   • Email Prefix: A format that uses the identifier that comes before the @ symbol in the email address.
   • Okta username: A format that uses the user name for the Okta service.
   • Okta username prefix: A format that uses the identifier that comes before the @ symbol in the Okta user name.
   • (None): Sets no initial values.
     If [None] is selected and the sync is per group, the sync will fail due to log in names being unable to be set for users. After assigning users to groups, log in names must be set for each user.

4. Click on [Save].
   

   

To turn off the provisioning feature, follow these steps.

1. Navigate to the [Provisioning] tab and click on [Integration].
   

   

2. Click on [Edit].
   

   

3. Check off the [Enable API Integration] option.
   

   

4. Click on [Save].
   

   

• If any updates are made to users while the provisioning feature is turned off, sync them into cybozu.com by refering to the Running Force Sync article.
• If any updates are made to contracted services while the provisioning feature is turned off, delete any options related to services that users are not licensed for. For more details, refer to the Delete Redundant Services from the Attributes List section.

To restart the provisioning feature, follow these steps.

1. Navigate to the [Provisioning] tab and click on [Integration].
   

   

2. Under [Integration], click on [Edit].
   

   

3. Check the [Enable API Integration] option.
   

   

4. Click on [Save].
   

   

5. Select [To App].
   

   

6. Under [Provisioning to App], click on [Edit].
   

   

7. Enable the following options:

   • Create Users
   • Update User Attributes
   • Deactivate Users

   

8. Click on [Save].
   

   

If any updates are made to users while the provisioning feature is turned off, sync them into cybozu.com using the Force Sync feature.

1. Navigate to the [Provisioning] tab.
   

   

2. Under [Cybozu (cybozu.com) Attribute Mappings], click on [Force Sync].
   

   

To make cybozu.com users inactive, either set the user on Okta to inactive, or unassign users with the following steps.

Unassigining Users

1. Navigate to the [Assignments] tab.
   

   

2. Click on [People].
   

   

3. Navigate to the user that will be made inactive, and click on the [×].
   

   

4. Click on the [OK] button in the confirmation dialog.
   

   

To make the user active again, reassign the user.

• To sync per user

Unassigining Groups

1. Navigate to the [Assignments] tab.
   

   

2. Click on [Groups].
   

   

3. Navigate to the group that will be made inactive, and click on the [×].
   

   

4. Click on the [OK] button of the confirmation dialog.
   

   

To make the users in the group active again, reassign the group by referring to the following section, by referring to the following section:

• To sync per group

This may be due to IP address restrictions set up on cybozu.com.

If there is a need to restrict access to cybozu.com via IP addresses, consider setting up the restrictions on Okta.
It is not recommended to place Okta's IP addresses on the cybozu.com settings for the list of allowed IP addresses. This is because Okta's IP addresses may be subject to change.