With SCIM (System for Cross-domain Identity Management), users from Okta can be synchronized to TeamViewer. It allows administrators to create, update, and delete users within Okta and automatically update their TeamViewer accounts within seconds.
This article applies to TeamViewer customers with a Tensor license.
Prerequisite
To be able to use this feature, you must meet the following requirements:
- A valid Tensor license for TeamViewer
- TeamViewer Single Sign-On (SSO) via Okta has been configured successfully
Please refer to the setup instructions given in the article Single Sign-On for Okta and ensure that on the Sign-On tab, you have the Application username format set to the value Email.
SCIM integration guide
Follow the steps below to set up SCIM.
1. Open your OKTA app.
2. Go to the General tab.
3. Click to Edit the App Settings.
4. Enable SCIM next to the Provisioning section, then click Save.
5. On the Provisioning tab, select Edit, and enter the following information into the fields:
6. Select Push New Users, Push Profile Updates, and Push Groups.
7. Change Authentication Mode to HTTP Header.
8. Enter your SCRIPT Token you created above in the TeamViewer Management Console next to Authorization.
9. Once complete, you can click on Test Connector Configuration, then click Save.
Your completed config should look like this:
10. Edit your Provisioning again and tick the Create Users, Update User Attributes, Deactivate Users, and Sync Password checkbox, then click Save.
1. Go to the Push Groups tab.
2. Allocate any groups you want pushed to TeamViewer.
After following the steps above, the SCIM parameters must be adapted to include the customer Identifier.
1. Go to Applications.
2. Open the appropriate app.
3. Switch tab to Provisioning, and scroll down to Attribute Mapping.
4. Press Go to Profile Editor.
5. Click on + Add Attribute.
6. Set the following variables where the external name and external namespace must not be changed:
7. Open Mappings for that app.
8. Switch to Okta User to App.
9. Set the customer identifier used also for SSO as a static value.
10. Apply updates now.
11. Under the given Application, click on Provisioning, and the newly created attribute should be visible.
12. Edit the attribute to apply the value only on Create.
Newly provisioned users should now be able to directly log in via their Okta account.
Known Issues & Limitations
Provisioning in TeamViewer is based on the members of your TeamViewer Company. However, user email addresses need to be unique across all TeamViewer accounts.
Creating new users through Okta Provisioning can fail if the email address is already registered in TeamViewer by another user, even if that user is not part of your TeamViewer Company.
In addition to the above point, removing a user from a TeamViewer company will not delete the user account. Therefore, the Provisioning integration can fail to re-create the user, as the account with the corresponding email address still exists.
Updating the user name/email of the user is not supported by the TeamViewer provisioning integration.