Okta integration: Set up SCIM provisioning

Note: This article primarily applies to Ramp Administrators. Cardholders may find other articles in the Ramp overview section to be more applicable.

Overview

System for Cross-domain Identity Management (SCIM) can be set up to connect your Identify Provider (IdP) with your Ramp account. SCIM allows you to invite and deactivate Ramp users directly from your IdP. For general information on using SCIM with Ramp, please review this article.

This article explains how to set up the Okta SCIM integration from your Ramp account. After finishing this setup, you can also optionally enable role syncing from Okta by following this article.

We've called out many suggestions and "things you should know" for using the integration so we strongly recommend you read this before setting up your SCIM integration!

Note: Changes made via SCIM may take up to 5 minutes to be reflected in Ramp, and in rare cases, slightly longer. For urgent actions, such as terminating a compromised Ramp user, card, or funds, we recommend completing the action directly in Ramp.

Set up the integration on Ramp

Before you begin

Determine which profile field you want to use for the user's department in Ramp. By default this is set to "department" but you can map to any profile field in Okta. Other common options are "cost center", "organization", or "division".
Determine which profile field you want to use for the user's location in Ramp. By default this is set to "city" but you can map to any profile field in Okta. Other common options are "cost center", "locale", "state", and "country code".
Audit your users in Okta to ensure there is a department AND location set for each user. Any user who does not have one of these values will not be provisioned in Ramp.
"Groups" in Okta can make it easier to manage user assignments. If you choose to use Okta groups, please fully review the "inviting user groups" section below.
If you already have users on your Ramp account:
- Confirm that the employee profile information in Ramp matches the data in your IDP. When you provision a user via SCIM and they already exist in Ramp, the IdP becomes the source of truth and will override the user's Ramp profile if it doesn't match.
- If a user's email address doesn't match, SCIM will use the Okta email address to create a second account for the user
If you are disconnecting from HRIS to set up SCIM
- Please ensure that the HRIS fields that you use for Department and Location are synced to your IDP (Okta). If you disconnect HRIS, and the data does not match your IDP, the SCIM integration will override the employee profile information on Ramp. (Reminder that you can map to any IdP field you'd like.)
- We recommend contacting your Ramp partner for support
(Later) Once you have the integration set up, before you terminate anyone via SCIM, you’ll want to determine your preferred options for handling user deletion in regards to how Ramp will handle their cards and status in approval chains. (See Terminations section below)
Know the supported features
- Create users (Invite to Ramp)
- Update user attributes (Name, Department, Location, Manager)
- Deactivate users

Integration setup

Go to Company > Integrations
Search and select Okta

Note: You cannot integrate with both SCIM and HRIS at the same time. If you are connected to HRIS, you will need to disconnect the HRIS integration in order to set up SCIM.

Select your identity provider (currently supporting Okta only)
When you select your provider, you will be prompted with instructions on how to set up the integration with your IdP. These instructions vary by provider and will guide you through setup.
Install the Ramp app in your Okta tenant
Use the provided URL and API token from your Ramp dashboard to configure the app in Okta
After configuring your credentials, the "To App" and "To Okta" options will appear in the left side menu. Click on: "To App" to configure the activity from Okta to Ramp. (You will not need to configure the "To Okta" activity as this is a one-way integration).
Ensure that the following are checked and enabled:

Create Users
Update User Attributes
Deactivate Users

Setting the attribute mappings

The following are the recommended attribute mappings. Please note: that you can assign any desired Okta value to the Ramp attributes. Ensure the attribute names match the capitalization below (e.g., in "userName" make sure the "N" is capitalized). Additionally, ensure that all attributes are configured to apply on "Create and Update".

Ramp's Okta SCIM integration comes with these default attributes already available in the Profile Editor, so there is no need to add or modify any attributes before configuring these mappings.

Attribute Name	External Name	Value	Notes
userName			This attribute cannot be configured
givenName	name.givenName	user.firstName
familyName	name.familyName	user.lastName
email	emails.^[primary==true].value	user.email
locality	addresses.^[primary==true].locality	user.city	This value will be used to set the user's location in Ramp. If the location does not exist in Ramp yet, it will be automatically created. If Ramp receives a request to create or update a user with no locality set, it will be rejected.
department	department	user.department	This value will be used to set the user's department in Ramp. If the department does not exist in Ramp yet, it will be automatically created. If Ramp receives a request to create or update a user with no department set, it will be rejected.
managerValue	manager.value	manager email	This should be the user's manager's email address. If Ramp receives no value, users will be provisioned with no manager. If Ramp receives an email address which isn't associated with a Ramp user, the user won't be created/updated until that manager is provisioned. Bulk provisioning of users alongside their managers is supported, as long as all specified emails point to a manager that is/will be provisioned.

Attribute <> Ramp user profile mapping

Attribute Name	Ramp User Profile	Required?
userName	Not shown on the Ramp user profile. We use this as a unique identifier on the back end.	Yes
givenName	First Name	Yes
familyName	Last Name	Yes
email	Email address	Yes
locality	Location	Yes (if none provided, integration default will be used)
department	Department	Yes (if none provided, integration default will be used)
managerValue	Manager	No

The external namespaces for all base SCIM attributes will be pre-populated in Ramp's Okta integration, and should not require reconfiguration. If needed, the namespaces for the attributes above are:

urn:ietf:params:scim:schemas:core:2.0:User (for all attributes except for department and managerValue)
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User (for department and managerValue attributes)

Once you complete setup, you’ll land on the SCIM integration page where you can view and configure your SCIM settings. Read more about the SCIM settings page here.

Troubleshooting

If you run into any issues configuring SCIM, go to your Ramp dashboard and click the (?) icon at the bottom right of your screen. Ask Ramp to help troubleshoot the setup issue you are seeing in your SCIM configuration, and continue in the same help flow if you need a next step.

Provisioning users

Invites

When you connect to your IdP (Okta) via SCIM, you will be able to automatically invite users to Ramp from your IdP.

Ramp requires the following information to send the invite:

First Name
Last Name
Email address
Department
Location
Manager

If a user has a manager assigned to them in your IdP, you can push that information to Ramp as well, and we recommend doing so. (This is configurable from Okta)

Note that if you invite a user with a manager who has not been invited to Ramp yet, we will not be able to provision the user in Ramp until the manager has been invited to Ramp as well.

In order to successfully send a user invite via SCIM, the required fields must be populated in your IdP, otherwise the invite will not be sent. If the user is missing any required fields, the request will fail. You can track errors/unsent invites in Okta.

Note that you can map any Okta field to the Ramp attributes. The recommended fields are pre-populated in Okta, but you can change them.

Ramp invites are sent to users via email. The invite email “sender” is set to the user’s manager. If the user doesn’t have a manager, it falls back to the Ramp account owner. In other words, new users provisioned via SCIM will receive an invite email from their manager. If they don’t have a manager, it will come from the Ramp account owner.

If you also have SSO/SAML set up, your users can access Ramp using SSO and don't need to accept the invite via email.

Inviting user groups in Okta

You have the option to invite users as individuals or as part of user groups from your Okta account.

It is common to have workflows in Okta that automatically add or remove a user to/from a group based on certain criteria. If a user is (automatically or manually) moved from a group where they are assigned to Ramp, they will be immediately terminated from Ramp. This applies even if they are added to a new group that's also assigned to Ramp. Okta treats this as two separate actions, which results in the user being terminated and then recreated with a new user account.

Due to this, we recommend you assign users to Ramp using a group that is manually managed rather than managed through automation and workflows. If you do need to move users between groups, we recommend adding the user to the new group BEFORE removing them from any other groups OR temporarily disabling "de-provisioning" from the SCIM settings while you make group changes. This will ensure they stay provisioned to Ramp and do not accidentally get terminated.

When you assign the Ramp app to a group, Okta will prompt you to set a department for the entire group. You can choose to assign the department at the group level, but if you prefer to use the department that's set on the individuals' profiles, you will need to update one of your configuration settings to do so. To disable this in Okta:

Go to: Applications -> Applications -> Ramp -> Provisioning
Under "Ramp Attribute Mappings" click the "Go to Profile Editor" button
Click the pencil next to "Department" to edit this attribute
Uncheck the "Attribute required" checkbox and save

Now, when you assign a group, it will still ask you for a department for the entire group, but you can leave it blank. The users in the group will be invited to Ramp from the department value that's saved to their profile.

User setup in Ramp

You can optionally enable role syncing from Entra by following this article. If you don't choose to enable role syncing: if a user is assigned as someone’s manager in your IdP (Identity Provider) when they're invited, we will automatically assign them the Manager role on Ramp. Otherwise, all users invited via SCIM will be assigned the Employee role. User roles should be managed through your IdP. Any role changes made in your IdP will automatically sync to Ramp every 24 hours.

IT Admin and Accounting roles on Ramp cannot act as Managers. When you try to provision or update a user whose manager has the IT Admin or Accounting role, you will receive an error, and the attempt to provision or update will fail.

When a user is invited via SCIM, we will issue any default Spend Programs that you’ve configured for your business.

Deactivations

As with all of Ramp's SCIM integrations, users will be de-provisioned rather than deleted if they are no longer assigned to the Ramp app in their IdP. Read more here for considerations of what this entails.

Automatic updates

Any time a user’s information is updated in your IdP system, the SCIM integration will update the user’s information in Ramp. Your IdP will be the source of truth for all employee information.

Name
Department
Location
Manager
Role*

Email changes are supported via SCIM. When an email is updated in your identity provider, the employee will receive a verification email and must confirm the change before it takes effect in Ramp. You can read more about handling user updates here.

Note: For Roles, a user will only be assigned as a Manager on Ramp if they are assigned as someone's manager in Okta.