Configure user provisioning with Okta MDScripts app

MDScripts supports user provisioning from Okta using the SCIM (System for Cross-domain Identity Management) protocol.

Prerequisites

• You must have a user account in MDScripts with manager privileges.

• Your organization must have the Okta SCIM feature enabled. If your organization is not enabled for Okta SCIM, then contact support@mdscripts.com to request this feature.

Supported Features

The following provisioning features are supported by MDScripts.

• Create Users. Creates or links a user in MDScripts when assigning the app to a user in Okta.

• Update User Attributes. Okta updates a user's attributes in MDScripts when the app is assigned. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in MDScripts.

• Deactivate Users. Deactivates a user's MDScripts account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.

The Okta SCIM interface has the following restrictions.

• Admin User Attributes. Okta cannot update attributes for Admin users.

Procedure

Step 1. Get the SCIM connector and API key

1. sign in to your MDScripts account.
2. Select Admin -> Admin Home.
   
3. Select Okta SCIM.
   
4. Copy the values for SCIM connector base URL and Authorization: Bearer. You will need those for when you configure the Okta application later.
   

Step 2. Enable SCIM API integration in Okta

1. sign in to Okta and add the MDScripts application.
2. From the application, click on the Provisioning tab, then click Settings Integration, and then click on the Configure API Integration button.
   
3. Click on the Enable API integration checkbox. Enter the API Token copied from above and click on the Test API Credentials button.
   
4. Click on the Save button when you verified the API Token.
   
5. Click To App and then click Edit to enable the supported provisioning operations: Create, Update, and Deactivate.
   
6. Select Enable for Create Users, Update User Attributes, and Deactivate Users. Click Save to apply the integration settings.
   
7. The default username should be set to Email. This can be done on the Sign On tab.
   
8. From the application, click on the Provisioning tab to view the supported MDScripts custom user attributes.
   
• user.timezone - Valid timezone string. eg US/Eastern, US/Central, US/Mountain, US/Pacific, US/Alaska, US/Hawaii
• user.isProvider - boolean value designates user to be a dispensing provider
• user.isPhysicianAssistant - boolean value designates the provider is a physician assistant (optional if isProvider set)
• user.npi - valid provider NPI value (required if isProvider set)
• user.deaLicense - valid provider DEA License for dispensing controls (optional if isProvider set)
• user.role - Assistant (default) or Manager
• user.siteNumbers - List of valid MDScripts Site Numbers for user access (comma delimited)
• user.emailType - defaults to work (optional)

Troubleshooting

The MDScripts application applies constraints to the first and last name if the attribute isProvider is set to true. The MDScripts application blocks the provider attributes if numbers are used in either the givenName or the familyName.

The following fields are not applicable if isProvider is false: isPhysicianAssistant, npi, deaLicense.

If you have questions with your MDScripts/Okta SCIM integration, please contact support@mdscripts.com