Okta SCIM Configuration Guide

Overview

If your organization uses Okta to manage your employees’ access to tools and services, you can take advantage of Okta’s “Provisioning” feature to automatically grant access to Getty Images to your users. The integration between Okta and Getty Images that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Okta works with SCIM, please see this article. The remainder of this guide is focused on enabling you to configure both Getty Images and Okta to get provisioning up and running for your organization.

The following provisioning features are supported by Getty Images at present:

  • Push Users: Users in Okta that are assigned to the Getty Images application within Okta are automatically added as users in Getty Images.
  • Update User Attributes: When user attributes are updated in Okta, they will be updated in Getty Images. The attributes that can be updated are First name, Last name, and email
  • Deactivate Users: When users are deactivated in Okta, they will be set to ‘disabled’ within Getty Images – which prevents the user from logging into Getty Images.

Prerequisites

  1. You should already have an Okta/GettyImages SAML 2.0 integration configured. See Okta SAML 2.0 Configuration Guide.
  2. Contact your Getty Images account representative or use the Contact page on gettyimages.com to let us know you’d like to use SCIM.
    • After receiving a confirmation email with the Getty Images division for your application and the appropriate credentials, you can proceed with the configuration.

Configure Provisioning (SCIM) in the Okta Getty Images application

  1. In Okta, go to Admin > Applications > Applications and select the Getty Images application.
  2. Select the Provisioning tab. Under the Settings panel on the left side, select Integration. Then click the Configure API Integration button.
    Okta Provisioning Configuration - Configure API Integration
  3. Select Enable API Integration. A section allowing Authentication should appear.
    Okta Provisioning Configuration - Authenticate with Getty Images
  4. Click the Authenticate with Getty Images button. A new window will open prompting for a Username and Password. This Username and Password should be provided by your Getty Images account representative when you request to use SCIM. Enter these credentials and click Authorise.
    Okta Provisioning Configuration - Getty Images Authorise
  5. You should be redirected back to the Okta Provisioning page and should see a note that Getty Images was verified successfully. Click Save.
    Okta Provisioning Configuration - Successful Auth
  6. Under the Provisioning tab, select To App from the Settings panel on the left side. Click Edit and select Create Users, Update User Attributes, and Deactivate users. Click Save.
    Okta Provisioning Configuration - Select Provisioning
  7. Your connection is now ready to send data to Getty Images.

Configure Division for Users

Division is required for all users in the Getty Images application. There are two ways division can be configured.

Option 1 - Configured at the individual user profile

This option should be used if multiple division ids are provided by Getty Images because the division id will be different based on the individual user. To determine what division id to set for each user, work with your Getty Images account representative or a customer service representative (support@gettyimages.com).

  1. In Okta, go to Admin > Directory > People and select the user that requires a division.
  2. Select the Profile tab. Click Edit.
  3. Add the division value provided by Getty Images to the Division attribute. Click Save.
    Okta Division Configuration - User Profile

Option 2 - Configured as a constant in the application

This option should be used if there is only one division id provided by Getty Images.

  1. In Okta, go to Admin > Applications > Applications and select the Getty Images application.
  2. Select the Provisioning tab. Under the Settings panel on the left side, select To App.
  3. Scroll down to the Getty Images Attribute Mappings section.
  4. Click the Edit button for the Division attribute.
  5. Select Same value for all users for the Attribute value drop down. Add the division value provided by Getty Images. Click Save.
    Okta Division Configuration - Constant Value
Notes about configuring division as a constant

The default division mapping in the Getty Images SCIM integration is set to map a user’s division from their profile to their Getty Images app-level division. This is assuming the division will be configured at the individual user profile level (option 1 above). If the desire is to configure the division as a constant in the Getty Image SCIM integration (option 2 above), this should be configured before users are assigned to the Getty Images application. The Getty Images app-level division for the users is set when users are assigned to the app.

If users are assigned before the division attribute is edited to use a constant, their divisions will be set to whatever their user profile division is. To resolve this, the users need to be unassigned from the Getty Images app and then reassigned. Upon reassignment they should all pick up the constant value for their Getty Images app-level division. A sync can then be run and mapping should be successful.

Auto Mapping Users

When a user is assigned to your configured Okta Getty Images application, Okta will send a request to create a Getty Images account for that user. If an existing Getty Images account for that user is found, by looking for an exact match between the supplied Name ID and a gettyimages.com username, the existing Getty Images account will be mapped for SSO and no new account will be created. If no match is found, a new Getty Images account will be created and this new account will be mapped for SSO.

Notes

  • A single integration’s provisioning configuration must be one of: Just-in-Time User Provisioning, SCIM Provisioning, or no provisioning.
  • When UserName is updated using SCIM, Getty Images updates the SSO specific NameId, but not the Getty Images Username that is reflected on the admin page.
  • Division, which is a User Profile Attribute, is required when using SCIM Provisioning. This will be provided to you by your account or customer service representative.

Troubleshooting

If you have questions or difficulties with your Okta/Getty Images SCIM integration, please use the Contact page on gettyimages.com.

Read more

System for Cross-Domain Identity Management (SCIM) Configuration Guide Generative AI by Getty Images