Brex and Okta SCIM

OverviewOkta SCIM setupMapping custom attributes (location)Recommended attribute mappings

Overview

PremiumEnterpriseSmart card

A System for Cross-domain Identity Management (SCIM) is an integration that helps you automate user access for your company’s Brex account. It can be used to provision Brex user accounts for your employees after being added to your Okta instance. It can also disable users after their removal from your Okta instance.


Okta SCIM setup

You can connect an Okta SCIM account with your Brex account by following these steps: Note: Steps 1 and 2 are optional. If you’d prefer not to set up your Okta SAML SSO, skip to Step 3, however if you want to configure both Okta SSO and SCIM, make sure you complete the steps in the following order. Step 1: Set up the Okta SAML SSO for your account by reaching out to Brex Support with this information:

  • Your business name
  • Your email address (or the email address of the individual from your team that will be working on the SAML SSO setup)
  • A test user to be used for SAML SSO setup
  • A list of email domains that should be supported for SSO & SCIM
  • Whether or not you have HRIS enabled already
  • Whether or not you want users to be sent an invitation email automatically after being added to SCIM
    • If so, whether you want these users invited as the employee role type or the reimbursements-only role type.

Step 2: Wait 3-5 business days for a response email from our team with instructions on how to create the SAML SSO application in Okta. Once successfully set up, our team will test an enable SAML SSO for your account. Step 3: Go to the Applications page in your Okta admin dashboard. Step 4: Click Browse App Catalog to create a new SCIM application. Step 5: Search for SCIM and choose the SCIM 2.0 Test App (Basic Auth). Step 6: Click Add Integration. Step 7: Enter a name for your application, check the box to hide the application from users, and click Next.

HC - Okta SCIM 01

Step 8: If not already, set Application username format to Okta username. Leave everything else as the default and click Done to create the application.

HC - Okta SCIM 02

Step 9: Go to the Provisioning tab and click Configure API Integration.

HC - Okta SCIM 03

Step 10: Enter your SCIM API credentials (these will be sent to you via a secure document from our team) and click Test API Credentials to confirm the settings are correct.

HC - Okta SCIM 04

Step 11: Go to the To App tab and click the checkbox to enable Create Users, Update User Attributes, and Deactivate Users. You can also verify mapping in the attribute mapping section below. The defaults we expect for mappings can be found in the screenshot at the bottom of the page.

HC - Okta SCIM 05

Attributes map to Brex as follows:

  • Department: This maps to the department attribute in Brex.
  • Cost Center: This maps to the cost center attribute in Brex.
  • Division: This attribute maps to the legal entity in Brex.
    • Note: Currently, legal entities are expected to already exist in Brex before employees can be mapped to them. To create legal entities please go to the Brex dashboard.
  • Manager value: This attribute maps to the manager email in Brex. For manager import, make sure to map the manager’s email to the manager value. More times than not this will be the “user.managerId” in Okta. But if it isn't, map the correct attribute here.
  • Country: This attribute currently maps to the Location attribute in Brex. Okta supports this as a 2 character country code.
    • You can supply any other value as the location attribute in Brex by providing a custom profile mapping in Okta.

Mapping custom attributes (location)

Step 1: In your Brex SCIM app, go to Provisioning > Attribute Mappings and click Go to Profile Editor.

HC - Okta SCIM 06

Step 2: Select Add Attribute.

HC - Okta SCIM 07

Step 3: Define the attribute details for location.

  • Data type = string
  • Display name: Location
  • Variable name: location
  • External name: location
  • External namespace: urn:ietf:params:scim:schemas:extension:brex:User
  • Attribute type: Personal or Group
HC - Okta SCIM 07

Step 4: In your Brex SCIM app, go to Provisioning > Attribute Mappings > Show Unmapped Mappings and click the pencil icon for Location.

HC - Okta SCIM 09

Step 5: Map the relevant user attribute value from the Okta user profile to location (user.city is an example).

HC - Okta SCIM 10

You’ve now integrated Okta SCIM with your Brex account. You can test your setup by assigning the SCIM app to an Okta user to verify the user is provisioned in the Teams page of your Brex dashboard.


AttributeAttribute typeValueApply on
Username userNamePersonalConfigured in Sign On settings
Given name givenNamePersonaluser.firstNameCreate and update
Family name familyNamePersonaluser.lastNameCreate and update
Middle name middleNamePersonaluser.middleNameCreate and update
Honorific prefix honorificPrefixPersonaluser.honorificPrefixCreate and update
Honorific suffix honorificSuffixPersonaluser.honorificSuffixCreate and update
Email emailPersonaluser.emailCreate and update
Primary email type emailTypePersonal(user.email != null && user.email !=”) ? ‘work’ :”Create and update
Title titlePersonaluser.titleCreate and update
Display name displayNamePersonaluser.displayNameCreate and update
Nickname nicknamePersonaluser.nickNameCreate and update
Profile Url profileUrlPersonaluser.profileUrlCreate and update
Primary phone primaryPhonePersonaluser.primaryPhoneCreate and update
Primary phone type primaryPhoneTypePersonal(user.primaryPhone != null && user.primaryPhone != “) ? work :”Create and update
Address type addressTypePersonal(user.streetAddress != null && user.primaryPhone != “) ? ‘work’ :”Create and update
Street address streetAddressPersonaluser.streetAddressCreate and update
Locality localityPersonaluser.cityCreate and update
Region regionPersonaluser.stateCreate and update
Postal Code postalCodePersonaluser.zipCodeCreate and update
Country countryPersonaluser.countryCodeCreate and update
Formatted formattedPersonaluser.postalAddressCreate and update
Preferred language preferredLanguageGroupuser.preferredLanguageCreate and update
Locale Name localeGroupuser.localeCreate and update
Time zone timezoneGroupuser.timezoneCreate and update
User type userTypeGroupuser.userTypeCreate and update
Employee number employeeNumberPersonaluser.employeeNumberCreate and update
Cost center costCenterGroupuser.costCenterCreate and update
Organization organizationGroupuser.organizationCreate and update
Division divisionGroupuser.divisionCreate and update
Department departmentGroupuser.departmentCreate and update
Manager value managerValuePersonaluser.manageridCreate and update
Manager display name managerDisplayNamePersonaluser.managerCreate and update
(optional) Location locationPersonal or GroupExpression from Okta user profileCreate and update
Was this article helpful?