User Provisioning and Deprovisioning with SCIM 2.0

Note

User Provisioning and Deprovisioning with SCIM 2.0 is an advanced feature.

Introduction

Implementing System for Cross-domain Identity Management (SCIM) 2.0 for provisioning and de-provisioning users provides a standardized and efficient method for managing user identities across various systems and applications. It involves the automated creation, updating, and removal of user accounts across multiple systems.

supports SCIM 2.0 for automatic user provisioning and de-provisioning, which reduces manual intervention and potential errors. Its other benefits are:

  • It ensures consistency of user data across multiple systems, reducing the risk of discrepancies or outdated information.

  • It streamlines the user lifecycle management process, saving time and resources for both IDPs and SPs.

  • It helps enforce access control policies and maintain data security by promptly removing access for deactivated users.

SCIM settings are configured at the instance level; only the Super Administrator can manage them.

Step 1. Enable SCIM in

Enabling SCIM in involves configuring the application to support the SCIM standard and setting up the necessary endpoints and authentication mechanisms to communicate with an identity provider like Okta.

First, you need to enable the SCIM Provisioning in .

Note

Required Permission: Only the Super Administrator of the instance can access and enable the SCIM feature.

Steps

  1. Log in to with Super Admin credentials.

  2. Go to Integration > SCIM.

  3. Turn on the SCIM Provisioning option.

  4. Review the following configuration details displayed on the screen:

    • Base URL: The URL of the instance configured with Okta.

      Example: https://testmanagement.qmetry.com/scim/v2

      The SCIM administrator must use this URL to integrate the SCIM system with .

    • Supported SCIM 2.0 tool: Okta. Use the following syntax for Group Name and Custom Attribute in Okta.

      • Group Name: _{ProjectKey}_{Role} for project and role mapping.

      • Custom Attribute: _User_LicenseType for license type mapping, regular and read-only.

    SCIM integration configuration screen showing settings for enabling automatic user provisioning and deprovisioning in QMetry. The SCIM Provisioning toggle is active, with the Base URL displayed for SCIM 2.0 integration. Supported SCIM tool information lists Okta, including group and custom attribute formats. Additional options allow administrators to choose between automatic or manual license type management for users.

  5. When prompted with a confirmation message, click Yes to enable SCIM provisioning.

    displays a success message confirming the activation.

Note

After enabling the SCIM settings, user provisioning, de-provisioning, and assignment of users to projects will be directly managed through SCIM. Only the Super Admin of will possess the permissions to manage and assign users from within . Regardless of their role or permissions, any other user cannot create, update, or assign/unassign users to projects and roles.

Allotting and Managing User License Types (Regular or Read-Only)

allows the admin to choose how to manage user license types automatically or manually through or SCIM. The admin can select from the following options:

  • Automatic Management: automatically assigns and manages user license types based on the user's assigned projects, roles, and available licenses.

    • If a user is assigned only read-only roles for all projects, a Read-Only license will automatically be assigned, provided there are available Read-Only licenses.

    • If a user has at least one project with a non-read-only role, a Regular license will automatically be assigned as long as Regular licenses are available.

  • Manual Management: The SCIM administrator can manually assign and manage user license types using the custom attribute _User_LicenseType.

Understanding Scenarios for Automatic User License Management in

Intelligently assigns and manages user licenses based on the user's assigned projects, roles, and available licenses. Below are different scenarios outlining how licenses are allotted:

Scenario A: Has Sufficient Regular Licenses and Read-Only License Remaining.

Scenario

User License Action

Activation Status

A New User is created with the Read-Only role assigned to all projects.

Read Only

User Active.

A New User is created with a Non-Read Only role (Admin, Tester, QA Manager, etc.) assigned to any project.

Regular

User Active.

A New User is created with all Non-Read Only roles (Admin, Tester, QA Manager, etc.) assigned to projects.

Regular

User Active.

User Update (Current License: Read Only)

User has All Project Access as Read Only, and a new Project with Read Only is assigned.

Read Only

Older projects remain as assigned.

New projects/roles are assigned as read-only.

The user has All Project Access as a Read-Only Role, and a new or existing Project with a Non-Read-Only Role is assigned.

License Type Changed to Regular

Older projects remain as assigned.

New/updated projects/roles are assigned.

User Update (Current License: Regular)

User has All Project Access as Non-Read Only Role, and a new Project with Non-Read Only Role is assigned.

Regular

Older projects remain as assigned.

New/updated projects/roles are assigned.

The user has All Project Access as a Non-Read-Only Role, and a new Project with a Read-Only Role is assigned.

Regular

Older projects remain as assigned.

New projects/roles are assigned.

The user has all projects assigned/updated as a Read-Only Role.

License Type Changed to Read Only

Older projects remain as assigned, after the project with a non-read-only role is removed.

Assign the updated new project/role.

Scenario B: Has Sufficient Regular Licenses and No Read-Only License Remaining/Not Purchased

Scenario

License Action

Activation Status

A New User is created with the Read Only role assigned to all projects.

Regular License

Activate user.

A New User is created with any 1 Non-Read-Only role (Admin, Tester, QA Manager, etc.) assigned to any projects.

Regular License

Activate user.

User Update (Current License: Read Only)

The user has All Project Access as a Read-Only Role, and a new Project with a Read-Only Role is assigned.

Read Only

Older projects remain as assigned. Assign the new project/role.

The user has All Project Access as a Read-Only Role, and a new or existing Project with a Non-Read-Only Role is assigned.

License Type Changed to Regular

Older projects remain as assigned. Assign the new/updated project/role. An audit log should be recorded for auto-conversion.

User Update (Current License: Regular)

The user has All Project Access as Non-Read-Only, and a new Project with a Non-Read-Only Role is assigned.

Regular

Older projects remain as assigned. Assign the new project/role.

The user has All Project Access as a Non-Read-Only Role, and a new Project with a Read-Only Role is assigned.

Regular

Older projects remain as assigned. Assign the new project/role.

User has all projects assigned as Read Only Role.

Keep License Type as Regular

Older projects remain as assigned, after the project with a non-read-only role is removed.

Important: The SCIM Admin must push the group under the Push Groups tab or assign/unassign the project to the same user.

Scenario C: Regular Licenses Exhausted and Read-Only Licenses are available

Scenario

License Action

Activation Status

A New User is created with the Read-Only role assigned to all projects.

Read Only

Activate user.

A New User is created with any 1 Non-Read-Only role (Admin, Tester, QA Manager, and so forth) assigned to any projects.

Error: The active regular user limit has been exceeded. Please contact your admin to increase the license limit or deactivate other users.

User Update (Current License: Read Only)

The user has All Project Access as a Read-Only Role, and a new Project with a Read-Only Role is assigned.

Read Only

Older projects remain as assigned. The new project with the role will be assigned.

The user has All Project Access as a Read-Only Role, and a new or existing Project with a Non-Read-Only Role is assigned.

Read Only.

Error: could not automatically update the user license type to ‘Regular’ because the current limit for the Regular license has been exhausted. To resolve this issue, please either deactivate existing Regular license users or purchase additional licenses.

Older projects remain as assigned.

User Update (Current License: Regular)

User has All Project Access as Non-Read-Only Role, and a new Project with Non-Read-Only Role is assigned.

Regular

Older projects remain as assigned. New projects/roles are assigned.

The user has All Project Access as a Non-Read-Only Role, and a new Project with a Read-Only Role is assigned.

Regular

Older projects remain as assigned. New projects/roles are assigned.

User has all projects assigned as Read Only Role.

License Type Changed to Read Only

Older projects remain as assigned after the project with the non-read-only role is removed. Assign the new project/role.

Step 2. Create SAML App Integration in Okta

Create a SAML 2.0 application integration in Okta to enable secure single sign-on (SSO) for users.

Steps

  1. Log in to your Okta Admin account.

  2. Go to Applications > Applications.

  3. Click Create App Integration.

    Okta Applications page displaying options for managing app integrations. The highlighted Create App Integration button allows administrators to add a new application for integration. Other visible options include Browse App Catalog, Assign Users to App, and a More dropdown for additional actions. A banner indicates that the Developer Edition supports a limited number of apps.

  4. Select SAML 2.0 as the sign-in method, then click Next.

    Okta dialog box titled Create a new app integration, showing available sign-in methods for application setup. The SAML 2.0 option is selected, which enables XML-based Single Sign-On (SSO). Other listed options include OIDC - OpenID Connect, SWA - Secure Web Authentication, and API Services. Buttons for Cancel and Next are visible at the bottom of the dialog.

  5. Enter an App Name (for example, SSO) and click Next.

    Okta Create SAML Integration screen displaying the General Settings step. The user enters “QTM App SCIM” as the app name. Options are available to upload an app logo and control app visibility in user dashboards or the Okta Mobile app. Navigation buttons for Cancel and Next appear at the bottom.

  6. In the SAML Settings section, provide the following details:

    • Single sign-on URL: Enter your SSO endpoint, including the organization code.

      • Example:

        • URL: https://testmanagement.qmetry.com

        • Organization Code: QTMTST1.

        • Resulting SSO URL: https://testmanagement.qmetry.com/saml/SSO/alias/QTMTST1

      • Select Use this for Recipient URL and Destination URL.

    • Audience URI (SP Entity ID): Enter your application’s Entity ID corresponding to your Org Code.

    • Application Username: Choose Okta username prefix as the default value for user identification.

  7. Click Next.

    Okta SAML Settings configuration screen showing general setup options. Fields include Single sign-on URL with a sample QMetry SSO URL, Audience URI (SP Entity ID) set to “QTMTST1,” and other parameters such as Name ID format, Application username, and Update application username on. The checkbox for “Use this for Recipient URL and Destination URL” is selected, and a Show Advanced Settings link is visible at the bottom.

  8. Select This is an internal app that we have created, then click Finish.

    Okta Help Okta Support understand how you configured this application screen. The option This is an internal app that we have created is selected to indicate the app is internally developed. Buttons for Previous and Finish appear at the bottom to navigate or complete the setup.

The SAML integration now appears in your Okta organization. You can edit its configuration parameters or assign it to users as needed.

Step 3. Add SCIM Provisioning in Okta

Add SCIM provisioning in Okta to enable automated user creation, updates, and deactivation between Okta and the (QTM) application.

Steps

  1. In Okta, open the (QTM) application you created earlier.

    Okta Applications page displaying a list of available apps. The QTM App SCIM entry is highlighted under the “ACTIVE” section, showing the app’s gear icon and settings menu. Buttons for Create App Integration, Browse App Catalog, Assign Users to App, and More appear at the top of the screen.

  2. Go to the General tab.

  3. Click Edit under App Settings.

    Okta QTM App SCIM settings page under the General tab. The App Settings section shows options for Application label, Application visibility, and Provisioning. The Provisioning option is currently set to None, with other options for On-Premises Provisioning and SCIM. An Edit button on the right allows changes to these settings.

  4. Under Provisioning, select SCIM to enable SCIM-based user provisioning.

  5. Click Save.

    Okta QTM App SCIM configuration screen showing the General tab of App Settings. The Provisioning option is set to SCIM, with other settings for Application label, Application visibility, Auto-launch, and notes for end users and admins. Buttons for Cancel and Save appear at the bottom to apply changes.

    After saving, the Provisioning tab becomes available for configuration.

Step 4. Select Provisioning Options

supports the following provisioning features.

  • Push New Users

  • Push Profile Updates

  • Push Groups

Steps

  1. In Okta, open your (QTM) app integration settings.

  2. Go to the Provisioning tab. The SCIM connection settings appear under Settings > Integration.

  3. Click Edit to modify the SCIM connection configuration.

    Okta QTM App SCIM application page under the Provisioning tab. The SCIM Connection section displays fields such as SCIM version (2.0), SCIM connector base URL, Unique identifier field for users, and Supported provisioning actions. An Edit button on the right allows modifying the SCIM connection configuration.

  4. Enter the following details:

    • SCIM connector base URL: Enter the SCIM connector base URL. You can find the base URL in Integration > SCIM in .

      • Syntax {QTM_url}/scim/v2.

      • Example: https://qtmcloud.qmetry.com/scim/v2

    • Unique identifier field for user: Enter the field name of the unique identifier for the users on the SCIM server. This is a static parameter value.

      • Example: userName

    • Supported provisioning actions: Select the provisioning actions supported by the SCIM Server. The following provisioning features are supported:

      • Push New Users: This option populates the Settings > To App page and contains settings for all the user information that flows from Okta into the SCIM app.

      • Push Profile Updates: This option populates the Settings > To App page and contains settings for all profile information that flows from Okta into the SCIM app.

      • Push Groups: This option populates the Settings > To App page and contains settings for all group information that flows from Okta into the SCIM app.

    • Authorization Mode: This is the mode you want Okta to use to connect to your SCIM app. Select HTTP Header.

    • Authorization: To authenticate using the HTTP Header, you need to provide a bearer token that provides authorization against your SCIM app. Enter the Open API Key of the Super Administrator of the instance.

    Generate the Open API Key

    1. Log in to QMetry Test Management with Super Administrator credentials.

    2. Navigate to Integration > Open API.

    3. In the Generate Open API section, click Generate to create a new key.

    4. Copy the generated key and paste it into the Authorization field in Okta.

      QMetry Open API integration screen showing the Generate API Keys section. A generated API Key is displayed in a masked format with a copy icon highlighted in orange for easy duplication. The key can be used for SCIM or other integration configurations.

  5. Click Test Connector Configuration to verify the connection.

    Okta QTM App SCIM configuration under the Provisioning tab showing SCIM Connection settings. The form includes fields for SCIM connector base URL, Unique identifier field (userName), and Authentication Mode (HTTP Header) with an authorization token. The Supported provisioning actions options include Push New Users, Push Profile Updates, and Push Groups. The Test Connector Configuration button is highlighted, allowing validation of the SCIM setup.

    Note

    If you are using the Okta Integrator, ensure that the following options are checked:

    • Import New Users and Profile Updates

    • Import Groups

    A success message confirms that the SCIM connector is configured correctly. Close the confirmation pop-up.

    Okta Test Connector Configuration window displaying a success message — “Connector configured successfully.” The detected provisioning features list includes Create Users, Update User Attributes, and Push Groups marked with checkmarks, while User Import, Import Profile Updates, and Import Groups are marked with red crosses, indicating unsupported actions.

  6. Click Save to apply and store the configuration.

Step 5. Configure “To App” Provisioning Settings

When configuring To App provisioning in Okta, you need to define several settings that enable the synchronization of user data from Okta to the application.

Steps

  1. Log in to Okta with an Admin account.

  2. Go to Applications > Applications.

  3. Open your (QTM) app integration.

  4. Go to the Provisioning tab.

    You’ll see three sub-tabs:

    • To App

    • To Okta

    • Integration

  5. Select the To App tab.

    You can configure what is to be copied from Okta to the app integration.

  6. Click Edit to modify the configuration settings.

    Okta QTM App SCIM page open under the Provisioning tab. The section shows Provisioning to App with directional flow from Okta to the target application. The Settings pane on the left highlights “To App,” “To Okta,” and “Integration” options. The Edit button on the bottom right is highlighted, allowing administrators to modify SCIM provisioning settings.

  7. Select the required provisioning options for synchronization from Okta to :

    • Create Users: Creates or links a user in the app integration (for example, App SCIM) when assigning the app to a user in Okta. It assigns a new external application account to each user managed by Okta. Okta sends a random password in its request to create a user.

    • Update User Attributes: Okta updates a user's attributes in the integrated app (for example, App SCIM) when the app is assigned. Any attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in the integrated app (for example, App SCIM).

    • Deactivate User: Deactivates user accounts when the users are unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.

  8. Click Save to apply the changes.

    Okta QTM App SCIM configuration under the Provisioning tab showing Provisioning to App settings. Options such as Create Users, Update User Attributes, and Deactivate Users are checked and enabled, allowing automatic user provisioning and updates between Okta and the connected app. The Sync Password option remains unchecked. The Save button is available at the bottom right to confirm configuration changes.

    Once saved, To App mappings are enabled, and user provisioning between Okta and begins based on the selected settings.

Step 6. Map License Type as a Custom Attribute

Note

Skip this step if Automatic User License Management is enabled in .

In Okta, the Directory refers to the user profile attributes stored within the Okta platform. The Profile Editor allows you to customize these attributes and their mappings. You can tailor user attributes to meet your organization's specific requirements for seamless integration and data synchronization.

We need to add a custom attribute _User_LicenseType for license type mapping, regular and read-only.

The user license type can be changed (from Regular to Read-Only and vice versa), without needing to unassign and reassign the projects, only if the user has read-only access to all projects.

Steps to perform attribute mapping in the Directory > Profile Editor are mentioned below.

Steps

  1. Log in to your Okta Admin account.

  2. Go to Directory and select Profile Editor.

  3. Open the Default Okta User profile.

    Okta Profile Editor window displaying the Users tab. The default Okta User Profile appears under the list with the User (default) label and type Okta. The sidebar filter shows options like All and Okta, while the Create Okta User Type button is highlighted on the right for adding a new user profile type.

  4. Add a new custom attribute, or edit an one named QMetry_User_LicenseType for license type mapping, regular, and read-only.

    Okta Attributes page under Profile Editor, listing user attributes with columns for Display Name, Variable Name, Data Type, and Attribute Type. Standard fields such as Username, First name, Last name, and Email are shown as Base attributes. A custom attribute named QMetry_User_LicenseType with variable name QMetry_User_LicenseType is visible at the bottom under the Custom type, with the edit icon highlighted.

  5. After adding the values, Click Save Attribute.

    If the Attribute required parameter is marked as Yes, the first value will be used as the default when people are added to Okta.

    Okta Attribute Configuration screen for the custom attribute QMetry_User_LicenseType. The attribute is defined with data type string and variable name user.QMetry_User_LicenseType. Under Enum, two values — Read Only (RO) and Regular (RG) — are listed. Read Only user permission is selected to restrict modification, and the Save Attribute button is available at the bottom to confirm the configuration.

  6. Return to the Profiles list.

  7. Open the (QTM) application profile.

    Okta Profile Editor interface showing the Users tab. The custom profile QTM App SCIM User with identifier dev126694_qtmappscim_1 is highlighted under the Profile column, with type listed as Application. The default Okta User (default) profile appears above it, and the Create Okta User Type button is visible on the right.

  8. Add a new custom attribute or edit an existing one named QMetry_User_LicenseType for license type mapping, regular, and read-only.

    • External namespace: While adding an attribute, enter urn:ietf:params:scim:schemas:core:2.0:User as the External namespace. The external namespace is used to refer to the namespace in the external system. It allows you to use additional or custom user attributes beyond what is provided by default in SCIM.

    Okta attribute configuration screen for QMetry_User_LicenseType under the QTM App SCIM profile. The attribute is defined as a string type with variable name dev12778681_mars_1.QMetry_User_LicenseType and external namespace urn:ietf:params:scim:schemas:core:2.0:User. The Enum option is enabled with two values — Regular (RG) and Read Only (RO). The Attribute required checkbox is selected, Personal attribute type is chosen, and Mutability is set to READ_WRITE. The Save Attribute button is visible

  9. After adding the values, save the attribute.

  10. Return to the Profile page.

  11. Click Mappings for the user profile.

    Okta Profile Editor interface under the Users tab showing available user profiles. The QTM App SCIM User profile with ID dev126694_qtmappscim_1 is listed under the Application type. The Mappings link is highlighted on the right to indicate the next step — opening and configuring attribute mappings between Okta and QMetry.

  12. Select the Okta User to {QTM App} tab to map the user attributes.

  13. Click Save Mappings to confirm the mapping between Okta and .

    Okta QTM App SCIM User Profile Mappings screen showing mapping direction Okta User to QTM App SCIM. The table lists multiple Okta user attributes (like firstName, lastName, email, city, userType) mapped to corresponding QTM SCIM profile fields. The last mapping highlights the custom attribute user.QMetry_User_LicenseType mapped to QMetry_User_LicenseType on the QTM App SCIM profile. The Save Mappings button appears at the bottom right.

Step 7. Refresh App Groups

The Refresh App Groups option allows you to manually trigger a group refresh from the external application. This action pulls the latest group information (including group names and memberships) from the application into Okta.

Steps

  1. In Okta, open your (QTM) app integration.

  2. Go to the Push Groups tab.

  3. Click Refresh App Groups.

    • Okta imports all groups created in into Okta.

    • The synchronization process begins automatically.

    Okta QTM App SCIM application window under the Push Groups tab. The highlighted Refresh App Groups button is used to get the latest groups from QTM App SCIM. Other options like Push Groups and Bulk Edit are visible at the top, with columns showing Group in Okta, Group in QTM App SCIM, Last Push, and Push Status.

  4. To verify the imported groups, go to Directory > Groups in Okta.

Details

  • The Groups page displays both Okta and (App) groups. The icon is the differentiator between groups created in QMetry and groups created in Okta.

    • Groups with the Okta icon originate from Okta.

    • Groups without the icon originate from .

  • You can filter the list to display only Okta groups or only App groups.

  • Once synchronization completes, Okta reflects all roles or user groups from using the following syntax:

    _{ProjectName}_{RoleName}

    Example: _QTM_Tester

  • Group memberships synced from are managed automatically by Okta and cannot be modified manually.

Step 8. Create a New Group in Okta

Create a group in Okta to map projects and roles.

Steps

  1. In Okta, go to Directory > Groups.

  2. Click Add Group.

    The Add group window opens.

  3. In the Name field, enter the group name using the following syntax:

    QMetry_{ProjectKey}_{Role}

  4. Click Save.

    Okta Add group screen showing the Name field populated with QMetry_QP_Tester and an optional Description field. The Save button is highlighted to confirm the creation of the new group.

    The group is added to the list.

    Okta Groups page displaying a newly created group named QMetry_QP_Tester under the All tab. The table shows columns for Group name, People, and Applications, with zero members and applications currently assigned.

Step 9. Assign an App Integration to a Group

When app integrations belong to the same group, they are considered "linked." This feature can be particularly useful when provisioning functionality needs to be incorporated into an SSO-enabled app integration.

Steps

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Locate the app integration on the list. You can search for the app integration using the Search field if the list is long.

  3. Open the app integration once you locate it.

    Okta Applications page showing a search for “QTM App SCIM” within the list of configured applications. The search bar is active, and the QTM App SCIM integration appears in the results under the STATUS section, indicating the app is available for selection.

  4. Open the Assignments tab.

  5. Click Assign and select Assign to Groups.

    Okta QTM App SCIM application page displaying the Assign dropdown menu. The Assign to Groups option is highlighted, allowing administrators to assign the SCIM app integration to specific user groups for provisioning.

  6. Locate the group to which you want to assign the app integration and click Assign.

    Okta Assign QTM App SCIM to Groups window showing a list of available groups filtered by the search term “QMetry_QP_.” The QMetry_QP_Tester group is displayed with the Assign button highlighted, allowing administrators to link this group to the QTM App SCIM integration.

  7. Review the attributes set in the Assign <application name> to Groups dialog.

  8. Click Save and Go Back.

    Okta Assign QTM App SCIM to Groups window displaying group-level attributes such as Preferred language, Locale Name, Time zone, User type, Cost center, and Organization. Each attribute shows its default mapping with an option to Override. The bottom of the window features Save and Go Back and Cancel and Go Back buttons for completing or discarding the configuration.

    The Assign button changes to Assignment and becomes disabled, indicating that the app integration has been assigned to the group.

  9. Click Done to confirm.

    The app integration is assigned to the selected group. All users within the group automatically gain access to the integration. Each user's assignment type for the app integration is categorized as Group, and this information can be accessed from the Assignments tab of the integration.

  10. Open the Groups tab.

    You can see the assignment for the group.

    Okta QTM App SCIM application page under the Assignments tab showing that the QMetry_QP_Tester group has been successfully assigned. The group appears in the assignments list with editable and remove options available.

Step 10. Push Groups

You can set up group push in SCIM from Okta to the application, which allows automated management of group memberships across Okta and .

Once SCIM is enabled for your Okta organization and you have configured the SCIM app for the application, you can then configure Group Push.

In Okta, configure group push settings for the SCIM app associated with the application. This involves specifying which groups should be pushed to the application and mapping Okta group attributes to corresponding attributes in the application.

Steps

  1. In Okta, open the (QTM) app integration.

  2. Locate the required group.

    • Use the Search or Advanced Search options if needed.

  3. Open the Push Groups tab.

  4. From the Push Groups drop-down list, select Find groups by name.

    Okta QTM App SCIM application interface under the Push Groups tab showing the Push Groups button expanded. The dropdown menu highlights the Find groups by name option, allowing administrators to search for and push specific groups to the QTM App SCIM integration.

  5. Search for the group name you want to push.

    • When the matching group appears, select it.

  6. Select the option Push group memberships immediately.

  7. Click Save.

    • The selected group from Okta appears under the list of pushed groups.

  8. Under Match result & push action, select Link Group.

    • If a matching group exists in , Okta links it automatically.

  9. Click Save again to confirm the configuration.

    Okta Push Groups to QTM App SCIM configuration screen showing the QMetry_QP_Tester group selected for synchronization. The “Match found” status is displayed, confirming successful linkage between Okta and QTM App SCIM. Buttons for Save and Save & Add Another appear at the bottom for finalizing the configuration.

    The group gets linked automatically.

    Okta Push Groups to QTM App SCIM page displaying the QMetry_QP_Tester group under the “By name” section. The table shows the group linked in both Okta and QTM App SCIM, with the Push Status marked as Active and the Last Push timestamp confirming successful synchronization.

Step 11. Assign People to a Group

Assign people to a group in Okta to manage user access and apply group-based permissions for integration.

Steps

  1. Log in to Okta with an Admin account.

  2. Go to Directory > Groups.

  3. Click the group name to open it.

    Okta Groups page under Directory, showing the QMetry_QP_Tester group listed with 0 People and 1 Application assigned. The search bar at the top filters results, confirming that the group has been successfully synced and linked to the QTM App SCIM integration.

  4. Click Assign people.

    Okta group detail page for QMetry_QP_Tester, showing tabs such as People, Applications, and Profile. The Assign people button on the right side allows admins to add users to this group, enabling SCIM-based user provisioning between Okta and QTM App SCIM.

  5. Click the + (Add) icon to select and add users to the group.

    Okta interface showing the Assign people to QMetry_QP_Tester dialog. A list of active users appears with a plus (+) icon on the right side to assign them to the group. Once selected, these users will be provisioned to QTM App SCIM automatically through the SCIM integration.

    • Assigned users appear in the list with the status Assigned.

  6. Click Done to return to the People tab.

    Okta screen showing a user successfully assigned to the QMetry_QP_Tester group. The status shows a green checkmark labeled “Assigned,” with an option to Remove if needed. Clicking Done finalizes the addition and triggers SCIM provisioning for that user in QTM App SCIM.

    You can verify the assignments in the Assignments tab > People section of the group.

Step 12. Verify Users in

After a group is assigned to a user in Okta, automatically creates the corresponding user account and assigns it to the appropriate project and role based on the Project Name and Role Name defined in the group name.

User Creation and Assignment

  • creates new users with the following attributes:

    • Username

    • Alias

    • First Name

    • Last Name

    • Email

  • Users with the authentication type receive an email containing their username and a temporary password.

    They must reset their password upon first login.

  • If an Okta user is not part of any group, or the group has not been pushed from Okta, still creates the user, but without any assigned projects.

  • As a best practice, disable the default project and role while SCIM is enabled.

Note

Only the Super Administrator can create, delete, or update user details, manage project assignments, activate or deactivate users, and remove users from .

Verify in

  1. In the instance, go to Customization > Users to view all synchronized users.

    QMetry application interface showing a user record under Customization > Users. The newly provisioned user appears with details such as Username, Authentication Type (QMETRY), User Type (Regular), and 2FA Status (Disabled), confirming successful SCIM-based synchronization from Okta.

    Users are also assigned to the project with a role.

  2. Open Projects > Project / Release / Cycle.

  3. Select the Users tab to see the assigned users and their roles.

    QMetry Project screen displaying the Users tab. The list shows multiple users with roles such as Tester and Admin, and all marked as Active. This confirms that the user provisioned through Okta SCIM has been successfully linked and is now visible within the QMetry project user list.

    • If a user is inactivated or removed from Okta, their Status in Inactive, provided they are not assigned to any other projects.

      QMetry Project Users tab showing a list of users with their roles and statuses. One user’s status is marked as Inactive, highlighted in orange. This indicates successful SCIM deprovisioning from Okta—when the user was unassigned or deactivated in Okta, the corresponding user in QMetry was automatically marked inactive.

View Audit Logs

captures audit logs for all SCIM-related activities, including:

  • Enabling or disabling SCIM settings

  • Project assignments and removals

  • User creation, updates, and deactivation

Steps

  1. In , go to Integration > SCIM.

  2. Review the audit logs for all SCIM activities.

  3. To export the logs to Excel, click Export.

    QMetry’s SCIM Integration page displaying active SCIM provisioning settings, including the SCIM Base URL and supported tool information. The Audit Logs section lists user-related API actions such as VIEW, CREATE, and UPDATE, along with timestamps, requester names, and response details. An Export button in the upper-right corner enables downloading SCIM audit logs for external review and troubleshooting.

  4. Download the exported file from the Scheduled Tasks section.

    QMetry’s Scheduled Tasks screen showing an Export (SCIM Logs) activity. The task, executed by user QTMTST1, shows that 31 out of 31 records were processed successfully. The timeline bar indicates the process started and completed within seconds, confirming successful export of SCIM logs for the QMetry Project. A download icon in the top-right corner allows exporting the results file.

Scenarios When SCIM Is Enabled in Okta for

When SCIM is enabled, Okta automatically manages user provisioning, deprovisioning, and synchronization for (QTM).

The following scenarios explain how different user and project actions behave under SCIM management.

Update User Details in

When SCIM is active, only the following user details can be updated directly in :

  • Username

  • Alias

  • First Name

  • Last Name

  • Email

Update Project Assignments for Users

  1. In Okta, go to Directory > Groups.

  2. Open the People tab for the desired group.

  3. Remove the user from the existing group.

  4. Trigger a Group Push to synchronize the change with .

Deactivate Users

You can deactivate users either from the Applications area or directly from the Directory in Okta.

  • From Applications

    1. In Okta, go to Applications > Applications.

    2. Open the app integration.

    3. Go to Assignments > People.

    4. From the user list, remove the user you want to deactivate.

  • From Directory

    1. In Okta, go to Directory > People.

    2. Open the More actions drop-down menu.

    3. Select Deactivate.

    4. Choose the users and click Deactivate Selected.

Once deactivated in Okta, the user automatically becomes Inactive in .

Restricted Operations in

When SCIM is enabled, only the Super Administrator can perform user and role management actions.

All other users, regardless of role or permissions, are restricted from performing the following operations:

  • Creating or updating users

  • Assigning or unassigning users to projects

  • Editing their own user details (Username, First Name, Last Name, Email)

  • Activating or deactivating other users

  • Changing authentication types

  • Editing or assigning roles (including Role Title changes)

  • Using the following project-level options:

    • Add new LDAP/SAML users to this project

    • Make this the default role for new LDAP/SAML users

Sync New Projects or Roles

When a new project or role is created in , you need to refresh the Okta app groups to reflect the changes.

  1. In Okta, go to Applications > Applications.

  2. Open the app integration.

  3. Go to the Push Groups tab.

  4. Click Refresh App Groups to sync newly created projects or roles.

Sync a Non-Synced User

If a user in Okta has not yet synced to :

  1. In Okta, go to Applications > Applications.

  2. Open the app integration.

  3. Open the Assignments tab.

  4. Click Provision User to sync the user immediately.

Scenarios When SCIM Is Disabled in Okta for

When SCIM is disabled, Okta no longer manages user provisioning or deprovisioning for .

  • User creation, updates, and project assignments must be done manually in .

  • Automatic synchronization of users and groups between Okta and stops.

In this section:
© 2025
Publication date: