User provisioning lets you synchronize user accounts between TalentLMS and your IdP through the SCIM v2 API. It’s a process that can save significant amounts of time and ensure the centralization of your users' access privileges. Common uses include pushing new users to TalentLMS, activating or deactivating users, and updating user profiles automatically.
At the time of writing this, TalentLMS only supports user provisioning through Okta and Azure AD, but we hope to support more providers compatible with the SCIM v2 API in the near future.
How to configure user provisioning with Okta
We have broken down our guide into four sections:
A. Features
B. Requirements
C. Configuration
D. Known issues & troubleshooting
Let’s start!
A. Features
The supported user provisioning features are:
- Push New Users: Users created in Okta are added to TalentLMS automatically.
- Push Profile Updates: Updates made to user profiles through Okta are synced to TalentLMS.
- Push User Deactivation/Activation: Deactivating a user or revoking their access to the application through Okta deactivates the user in TalentLMS. User activation is also supported.
Note: Deactivating a user means changing the user’s status from “active” to “inactive”. The user’s account is not deleted. |
- Import New Users: Users created in TalentLMS are added to Okta automatically. If a new TalentLMS user is an existing Okta user, the two accounts are linked. Imported users are assigned to the TalentLMS app in Okta as soon as they are confirmed from the Import tab on the Okta TalentLMS app page.
Note: By default, user import is set to manual, but you can automate it by selecting one of the available scheduling options (e.g., every hour). |
- Push Password Updates: Updates made to user passwords through Okta are synced to TalentLMS.
B. Requirements
First of all, make sure that you have configured SSO with TalentLMS properly. To do that:
1. Sign in to your TalentLMS account as Administrator and go to the Users tab on the Home > Account & Settings page.
2. Click Single Sign-on (SSO) (1). The required fields must contain the values provided in this article.
3. Click Save and check your configuration (2) to doublecheck that all the required user attribute/value pairs (e.g., username/TargetedID, user email) are returned from Okta.
Before you return to your Okta TalentLMS app page, check Enable SCIM v2 user provisioning and note down the provided Api Key (3). Make sure to click Save at the bottom of the page after enabling SCIM provisioning.
C. Configuration
To configure user provisioning for TalenltLMS, follow these steps:
1. Sign in to your Okta dashboard, go to the Applications page and click TalentLMS.
2. Go to the Provisioning tab and, on the Settings panel, click API Integration.
3. Check Enable API integration.
4. In the API Token field, paste the Api Key you have noted down earlier.
5. Click Test API Credentials and, if successful, click Save.
6. On the Settings panel, click To App. Τhen, click Edit to enable your preferred Okta-to-TalentLMS user provisioning features.
7. On the Settings panel, click To Okta. Then, click Edit to configure your TalentLMS-to-Okta user provisioning settings.
Great!
Now you’re ready to go to the Import tab and assign your imported users to the Okta TalentLMS app.
D. Known issues & troubleshooting
Before you start using your Okta-enabled user provisioning service, take a look at these important notes:
- When the “Time zone” and “User type” attributes are not defined for a specific user, then their TalentLMS user account is assigned the default values. The default time zone can be configured from the Locale section on the Home > Account & Settings > Basic settings page. The default user type can be configured from the Home > Account & Settings > Users page. The default values for each branch can be configured from the branch homepage by the branch admin.
- When you delete a provisioned user account in TalentLMS, you must make sure the account is deleted permanently. That way, when creating a new user through user provisioning, you avoid getting an error message that their email is not unique. For more on deleting user accounts permanently, see this article.
- When you change an assigned user’s username from the Edit user assignment page, the username of the existing TalentLMS account is also updated. However, we strongly recommend that you avoid changing an assigned user’s username from the Edit user assignment page because that process is not fully supported by Okta. Instead, you can change the username from the user’s profile page and wait for your changes to be synced to TalentLMS and all the other apps assigned to that user.
- When trying to push a user to your TalentLMS domain through the SCIM v2 API, you may get the following error message: "A user with the same email address already exists." This could mean two things:
- There’s already a TalentLMS user account for the same user registered with that email address, but the username is different than the one pushed by Okta. In that case, the username matching fails due to the email address not being unique, so TalentLMS tries to create a new user account. The issue is resolved by changing the user’s username either in Okta or TalentLMS to match the other one.
- You have recently deleted a TalentLMS user that was registered with that same email address. In that case, the new user’s email is not recognized as unique because the old user isn’t permanently deleted (i.e., TalentLMS doesn’t remove users permanently at first delete so that you can restore a user if they’ve been deleted by accident). The issue is resolved by permanently deleting the user that has the same email. For more on deleting users permanently, see this article.