Lucca to Okta: How do you synchronize your user data?

Before you get started

If you use an Okta license, Lucca can synchronize your Lucca-administered user data to your Okta directory.

All the steps required to install the connector are described below. This page is mainly intended to your Okta administrator (DSI or IT).

The free Lucca for Okta interface is available via the cog wheel in your Lucca environment. If you do not have the permission, please contact our Support team.

Features supported by the application

• Updating user attributes

• Import users.

• Import groups.

• Profile sourcing

Help desk

As a Lucca client, you can contact our customer services with any questions you may have, or to report problems, request improvements, or get advice on how to use our products. We are always ready to provide you with the appropriate solution.

Our consultants or technical teams are not authorized to access your Okta environment, its settings and the permissions you have previously defined with your Okta administrator.

So please describe as precisely as possible the type of problem you are experiencing, with screenshots to help us give you the best possible assistance. We also recommend that you include your Okta consultant in your requests, to make it easier for us to identify your problem.

Enable synchronization between Lucca and Okta

Step 1: Retrieve Lucca login information for Okta

From the cog wheel in your environment Authentication, SSO and API Okta Synchronization and start integration by clicking on the button with the same name.

A window will pop-up, inviting you to provide us with your technical administrator's email address. This information will enable us to better identify our contacts if needed or for announcements concerning the integration of Lucca into Okta.

After completing the first 2 steps - which we return to in step 3 - you can retrieve the information you need to copy into the Okta interface.

Step 2: Activating Lucca in Okta

In your Okta application, go to the Applications menu and select "Browse App Catalog" and choose the "Lucca" application:

Once Lucca has been selected and added, go to the Provisioning tab, then to the Integration menu.

Enter the required information previously collected in the Lucca for Okta interface.

URL base
API Token
Import Groups. This box lets you define whether or not you want to import groups, which we identify in Lucca by department, legal unit, establishment or country.

Once this step is complete, go to the "To Okta" menu and select "Allow SCIM 2.0 Test App (Header Auth) to activate the data source which Okta will be fed.

Step 3: In Lucca, configure the integration with Okta.

The first step is to select the properties you want to synchronize with Lucca.

Properties are the user data you manage in Poplee Core HR via the HR File.

If you have activated the option in Okta, define the groups you wish to synchronize in the second step.

Congratulations, your synchronization is now active!

Now the interface is dedicated to the administration of your initial settings, and the status of your integration is displayed in real time.

Managing Lucca to Okta data synchronization

[Lucca/Okta] Properties

Lucca's APIs are REST APIs.

They allow us to display all the properties associated with each employee (user), such as contract start date, establishment, occupation category, job title and manager.

To integrate with Okta, we have developed a connection between our APIs and Okta's SCIM APIs. Therefore, a Lucca property becomes a user attribute for Okta.

Customize Lucca data to be synchronized with Okta

From the Okta integration interface, you can add or remove a property from all the data you manage in your HR File.

4 properties are mandatory and cannot be modified:

Capture_d_e_cran_2021-09-01_a__10.14.37.png

Note: Customizable compound data and multiple occurrences

cannot be synchronized with Okta.

Mapping a Lucca property to an Okta attribute

There are 2 types of attributes:

1. The attribute found in Okta that is displayed at user profile level. This attribute is pushed by Okta to third-party systems.

2. The attribute returned by the API via integration ((/ lucca-okta/api/users) which tells Okta how to read the property value.

Attributes are managed and read by the integration activated between Lucca and Okta

Create an Okta attribute

In Okta, from the left menu, select Directory → Profile Editor then Profile

The page that appears shows you the Okta attributes you have enabled to synchronize your users.

Here you will find:

Native attributes: login, firstName, lastName, etc. found in the SCIM 2.0 standard. These attributes cannot be modified.

Custom attributes

Click on Add Attribute. The next page will then show you how to set the custom attributes defined with:

a type: string, integer, boolean, etc
a name human readable name which will be displayed in the user profile
a variable, which is the code for the data name, which should be matched with Lucca APIs.

Create the integration with the attribute

From the menu, select Directory → Profile Editor then Apps and Profile for Lucca

This page displays all synchronized and active attributes, both native and custom.

Capture_d_e_cran_2021-09-01_a__11.18.13.png

Click on Add Attribute. The page that appears will allow you to set synchronization activation parameters for the attribute you created.

The External namespace field lets you add your attribute (for json) to the Okta schema. In each case, you will find 2 standards in the Okta framework:

urn:ietf:params:scim:schemas:core:2.0:User: associated schema for the attributes of the standard (firstName, lastName, etc.)
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User: recommended schema by the SCIM standard for custom attributes (dtContractStart, dtContractEnd, etc.)

Here is an example of the json returned by the Lucca.Okta application:

Once the schemas have been validated, fill in the external namespace field with the value: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

That's all there is to it.

Configuring mapping in Okta

The last step is to make the connection between Lucca and Okta profile attributes.

Select Directory → Profile Editor. then Apps and click on Mappings of the Lucca integration

Capture_d_e_cran_2021-09-01_a__11.21.10.png

You can configure Lucca to Okta and Okta to Lucca mapping.

Capture_d_e_cran_2021-09-01_a__11.32.38.png

Notes about Okta to Lucca synchronization

Roles and permissions

By default and for security reasons, the Okta connector on the Lucca instance does not allow Okta to modify user data.

If you want to synchronize Okta to Lucca, you need to change the permission of the Okta api key.

In the role administration, you need to add the permissions needed to modify the user file to the Okta API integration api key.

Limitations

DisplayName attribute

- In the Lucca environment, there is no HR displayName data associated with employees.

- By default Okta expects a displayName attribute with the path urn:ietf:params:scim:schemas:core:2.0:User.displayName.

To make your configuration easier, the displayname is enhanced by adding the family name (familyName) to the first name (givenName).

However, if you have configured Okta - Lucca synchronization on the displayname field, synchronization of this field will have no effect. To change the family name or first name, you need to synchronize the familyName and givenName.

Non-customizable compound data

"Non-customizable compound data" (occupation category, calendar, establishments, departments, roles, etc.) can be synchronized to Okta, but cannot be synchronized in the Okta to Lucca direction.