This guide walks you through connecting Okta to CybSafe for automated user provisioning over SCIM, including the connection setup, attribute mapping, user assignment, and post-launch checks.
Before you start
You'll need:
Admin access to CybSafe
Admin access to your Okta org (with the ability to add applications and configure provisioning)
About 20 to 30 minutes
A quick note on the setup. CybSafe has a published app in the Okta App Catalog that gives you the core attributes out of the box. If you want to sync extra attributes like cost centre, employee number, or hire date, you'll add those as custom mappings in the Okta Profile Editor.
We'll cover both.
This provisioning app does not replace your CybSafe SSO app. If you want SSO too, that's a separate connection.
Read more in CybSafe and Single Sign-On integrations.
Core concepts
SCIM: The protocol Okta uses to push user data to CybSafe. CybSafe supports SCIM v2.
SCIM endpoint: The URL Okta sends user data to. For CybSafe, this is
https://app.cybsafe.com/scim/v2/Provisioning token: A bearer token CybSafe generates that authenticates Okta to your CybSafe tenant.
Push group: An Okta group that, when assigned to the CybSafe app, pushes its members into CybSafe.
External name and External namespace: Two Okta fields that together form the full SCIM attribute path. You'll use these when mapping custom attributes.
Step 1: Generate your CybSafe provisioning token
Log in to CybSafe with your admin account.
Navigate to Settings > Identity management and select the User provisioning tab.
Click Generate token.
Copy the token and keep it somewhere safe. You'll paste it into Okta in the next step.
The SCIM endpoint you'll need in Okta is https://app.cybsafe.com/scim/v2/ Keep the trailing slash. No spaces.
Step 2: Add the CybSafe app in Okta
In Okta, go to Applications > Applications and click Browse App Catalog.
Search for "CybSafe" and click Add Integration on the CybSafe listing.
Configure your general settings and sign-in options as required, then click Done.
Step 3: Configure the SCIM connection
Open the CybSafe app you just added and go to the Provisioning tab > Integration.
Click Configure API Integration.
Tick Enable API integration.
Paste your CybSafe provisioning token into the API Token field.
Click Test API Credentials. You should see a success message.
Click Save.
If the test fails, check the token has been copied in full with no leading or trailing spaces. You can always generate a fresh token in CybSafe if needed.
Step 4: Enable provisioning features
Still in the Provisioning tab, select To App on the left.
Click Edit.
Tick Enable for:
Create Users
Update User Attributes
Deactivate Users
Click Save.
CybSafe doesn't support the Sync Password feature, so leave that off.
Step 5: Map your attributes
The default Okta to CybSafe attribute mappings cover the basics: name, email, and active status. To sync extra fields like department, manager, or cost centre, you'll add custom attributes in the Okta Profile Editor.
Default mappings
These come pre-configured. Check they look right:
userName maps to your primary work email (often
userPrincipalName)givenName maps to first name
familyName maps to surname
email (work) maps to primary email
active controls whether the person is active in CybSafe
Add custom attribute mappings
To add an attribute like department, costCenter, or employeeNumber:
In the CybSafe app, go to Provisioning > To App.
Scroll to the bottom and click Go to Profile Editor.
Click + Add Attribute.
Fill in the four fields:
Display name: Whatever you want to call it in Okta (like "Cost Centre")
Variable name: An Okta-internal name (like
costCenter)External name: The CybSafe attribute name (see the table below)
External namespace: The SCIM schema URN (see the table below)
Click Save.
Back in Provisioning > To App, find the new attribute and map an Okta source attribute to it.
Supported CybSafe attributes
The full list of attributes CybSafe accepts, with the External name and External namespace to use in Okta. M is mandatory, R is recommended, O is optional.
CybSafe attribute | External name | External namespace | Type |
userName |
|
| M |
active |
|
| M |
Work email |
|
| M |
First name |
|
| R |
Surname |
|
| R |
preferredLanguage |
|
| R |
timezone |
|
| R |
Country |
|
| R |
Street address |
|
| O |
City |
|
| O |
State |
|
| O |
Job title |
|
| O |
department |
|
| R |
organization |
|
| R |
division |
|
| R |
manager |
|
| R |
employeeNumber |
|
| O |
costCenter |
|
| O |
businessUnit |
|
| O |
employeeType |
|
| O |
employeeLevel |
|
| O |
grade |
|
| O |
office |
|
| O |
hireDate |
|
| O |
externalId |
|
| O |
A few important notes:
The department, division, and organization attributes auto-create folders in CybSafe's group management. Map these if you want to filter campaigns and reports by those groupings.
For address attributes in Okta (street address, city, state, country), the nested format like
addresses[type eq "work"].streetAddressis the one that works reliably. If you have issues getting city or state through, try the nested format shown in the table.For hireDate, the date format must be
yyyy-MM-dd.For timezone, use the IANA format like
Europe/London.For preferredLanguage, use IETF language tags. The full list of supported codes is in Explainer: supported languages.
If your userPrincipalName isn't the same as the full email address, contact CybSafe support before you start syncing. We can switch the matching field to avoid duplicate profiles.
Any attribute not in the table above won't sync. CybSafe will ignore it.
Step 6: Assign people to the CybSafe app
CybSafe expects people to be assigned via push groups.
In the CybSafe app, go to the Assignments tab.
Click Assign > Assign to Groups.
Pick the Okta groups that should have CybSafe access and click Assign.
Then go to the Push Groups tab. (Optional)
Click Push Groups > Find groups by name and add the groups you want pushed into CybSafe as groups (not just for membership).
When someone is added to a push group, they're created in CybSafe. When they're removed, they're deactivated in CybSafe.
Step 7: Test and monitor
Run a sync from Okta. Most attribute changes push within a few minutes.
In CybSafe, check:
People overview. New people should appear here.
Group management. Department, Division, and Organisation folders should populate if you mapped those attributes.
Settings > Identity management > User provisioning. The Last SCIM request and Last SCIM change fields should show recent timestamps.
Spot-check a few people. Make sure attributes like manager, department, and job title are coming through correctly.
If the Last SCIM fields show N/A, the sync isn't running. Check the Okta logs first for errors, then get in touch.
CybSafe recommends
Every organisation's setup is different, but here are our tips:
Start with a small push group.
Assign 5 to 10 test people first. Confirm the sync works and attributes land correctly before you push everyone.
Plug into your JML process.
Joiner-mover-leaver should drive your Okta groups so provisioning happens automatically. This is the whole point of SCIM.
Turn off "Update user details on login" in your SSO settings.
If you have both SSO and SCIM running, login can overwrite SCIM-synced data. Let SCIM be the source of truth. Find this in Settings > Identity management > Login.
Map department even if you're not using it yet.
It auto-creates groups in CybSafe that become useful for campaign targeting and reporting later. Same goes for division and organisation.
Use the matching field that matches your SSO setup.
If your provisioning matches onuserPrincipalNamebut your SSO sendsemail, you'll end up with duplicate profiles. Make sure both use the same attribute.
FAQ
Do I need to set up SSO separately?
Yes. Provisioning and SSO are two different connections. The provisioning app pushes user data into CybSafe. The SSO app lets people log in. You can have one without the other, but most customers run both.
Why is my manager attribute not syncing?
The manager's profile needs to exist in CybSafe before the link can be made. If you're doing an initial sync, run it once to create everyone, then run it again to link managers. If the issue continues, get in touch as there is a known issue with line manager imports from Okta on some setups.
What happens when I deactivate someone in Okta?
They get deactivated in CybSafe. Their profile and data are kept so you can reactivate them later if needed. Removing someone from a push group has the same effect.
Can I sync custom attributes that aren't in your table?
No. CybSafe only stores the attributes listed above. Anything else is ignored. If you have a field you'd like added, let us know.
Why are my attribute mappings not coming through even though the sync ran?
The most common cause is the External name or External namespace being wrong. Double-check both fields in the Profile Editor against the table above. The enterprise extension attributes need urn:ietf:params:scim:schemas:extension:enterprise:2.0:User and the CybSafe extension attributes need urn:ietf:params:scim:schemas:extension:cybsafe:2.0:User. Mixing these up is the usual culprit.
Can I sync groups from Okta into CybSafe groups?
Yes. Push groups in Okta become groups in CybSafe, with their memberships kept in sync. Add them via the Push Groups tab.
The SCIM provisioning option doesn't appear in my Okta app. What now?
Some Okta orgs need to contact Okta support to switch on SCIM provisioning for custom apps. If you're using the CybSafe app from the App Catalog this shouldn't happen, but if it does, Okta support can turn it on for you. Their guide on this is Add SCIM provisioning to app integrations.
How long does the initial sync take?
For a few hundred people it's usually done in minutes. Larger orgs (thousands of people) can take longer. Okta runs incremental syncs after that, so subsequent changes push through in near real time.
Still have any questions?
If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!