Docs/SCIM provisioning

Okta

~15 minutes

Provision members from Okta into Wando over SCIM 2.0. Okta pushes user lifecycle events (create / update / deactivate) and group assignments to Wando's SCIM endpoint, and Wando maps groups to roles.

Before you start

SSO already configured for this organisation in Wando (see the Okta SSO guide).
Lifecycle Management licensed on your Okta tenant.
A SCIM bearer token issued by your Wando contact — request one before you start, you'll paste it in step 4.

Steps

1
Open your Wando app integration
In the Okta Admin Console, open Applications → Applications and click the Wando OIDC integration you created in the SSO guide.
2
Request a SCIM token from your Wando contact
Email your Wando contact (hej@wando.app) and ask them to issue a SCIM token for this organisation. They'll send back a bearer string — keep it handy for step 4.
Wando only shows the token once when it's issued. If you lose it, ask for a fresh one — old tokens can be revoked.
3
Open the Provisioning tab → Integration
On the Wando app, open the "Provisioning" tab. Click "Configure API Integration" → check "Enable API integration".
4
Fill in the SCIM connector settings
Enter the values below and pick "HTTP Header" as the authentication mode. Click "Save".
SCIM connector base URL
https://www.wando.tromb.com/api/auth/scim/v2
Unique identifier field for users
userName
Supported provisioning actions
Import New Users and Profile Updates, Push New Users, Push Profile Updates, Push Groups
Authentication Mode
HTTP Header
HTTP Header → Authorization
Bearer <token from step 2>
5
Test the connection
Click "Test API Credentials". Okta verifies that Wando responds at `/ServiceProviderConfig` with the bearer token. A green check means the connection is good.
6
Enable provisioning actions
Still on the Provisioning tab, select "To App" in the left sub-nav. Click "Edit" and enable: "Create Users", "Update User Attributes", and "Deactivate Users". Save.
7
Assign users and groups
Open the "Assignments" tab on the app, click "Assign" → "Assign to People" or "Assign to Groups". Only assigned users will be pushed to Wando.
8
Push the groups
Open the "Push Groups" tab. Click "Push Groups" → "Find groups by name" and pick the groups you want Wando to see (typically the groups you also want to map to roles). Okta will create them on Wando's side as SCIM groups.
9
Map groups to Wando roles
After Okta pushes the groups, send your Wando contact a list of which group should map to which role — "admin", "boss" or "member". They'll apply it. Users in multiple groups get the highest role.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Once Okta has pushed its first provisioning cycle, send your Wando contact the group-to-role mapping you want. They'll apply it to the SCIM groups Okta pushed and confirm when provisioning is live.

SCIM base URL (already configured): https://www.wando.tromb.com/api/auth/scim/v2
Group → role mapping: Send your contact a list: which group should map to admin / boss / member

Steps

Open your Wando app integration

In the Okta Admin Console, open Applications → Applications and click the Wando OIDC integration you created in the SSO guide.

Request a SCIM token from your Wando contact

Email your Wando contact (hej@wando.app) and ask them to issue a SCIM token for this organisation. They'll send back a bearer string — keep it handy for step 4.

Wando only shows the token once when it's issued. If you lose it, ask for a fresh one — old tokens can be revoked.

Open the Provisioning tab → Integration

On the Wando app, open the "Provisioning" tab. Click "Configure API Integration" → check "Enable API integration".

Fill in the SCIM connector settings

Enter the values below and pick "HTTP Header" as the authentication mode. Click "Save".

SCIM connector base URL: https://www.wando.tromb.com/api/auth/scim/v2
Unique identifier field for users: userName
Supported provisioning actions: Import New Users and Profile Updates, Push New Users, Push Profile Updates, Push Groups
Authentication Mode: HTTP Header
HTTP Header → Authorization: Bearer <token from step 2>

Test the connection

Click "Test API Credentials". Okta verifies that Wando responds at `/ServiceProviderConfig` with the bearer token. A green check means the connection is good.

Enable provisioning actions

Still on the Provisioning tab, select "To App" in the left sub-nav. Click "Edit" and enable: "Create Users", "Update User Attributes", and "Deactivate Users". Save.

Assign users and groups

Open the "Assignments" tab on the app, click "Assign" → "Assign to People" or "Assign to Groups". Only assigned users will be pushed to Wando.

Push the groups

Open the "Push Groups" tab. Click "Push Groups" → "Find groups by name" and pick the groups you want Wando to see (typically the groups you also want to map to roles). Okta will create them on Wando's side as SCIM groups.

Map groups to Wando roles

After Okta pushes the groups, send your Wando contact a list of which group should map to which role — "admin", "boss" or "member". They'll apply it. Users in multiple groups get the highest role.