Marketing Center SCIM 2.0 Provisioning
Configure SCIM 2.0 user provisioning and group push between Okta and the Ocozzio Marketing Center platform. This guide covers enabling the SCIM API integration, configuring provisioning features, and setting up group sync.
Prerequisites
Before enabling SCIM provisioning, ensure the following requirements are in place.
Have your credentials from Ocozzio on hand
You will need your Bearer Token during the SCIM API integration step below; Okta requires you to enter it manually when enabling the provisioning connection. Your Customer ID was already entered during General Settings in the SAML SSO Guide. If you have not yet received these credentials, contact Ocozzio support before proceeding.
Groups must already exist in the Marketing Center
The Marketing Center does not support group creation via SCIM. Any groups you intend to sync from Okta must already exist in the Marketing Center before you configure group push. Note the exact display names of these groups, they must match the Okta group names exactly for discovery to work correctly. Contact your Ocozzio Account Manager to set up the necessary groups.
Okta requirements
- Okta Super Admin or both App Admin and Org Admin roles to configure provisioning settings.
- Users to be provisioned must have at minimum: first name, last name, username, and primary email address set in their Okta profile.
Supported Provisioning Features
The following provisioning capabilities are supported by this integration. All provisioning is push-only from Okta to the Marketing Center.
Configuration Steps
3.1 — Configure SCIM 2.0 Provisioning
SCIM provisioning keeps user accounts in the Marketing Center in sync with Okta. When users are assigned to the app, accounts are automatically created or updated.
In your Okta Admin Console, go to Applications → Applications and open the
Marketing Center integration. Click the Provisioning tab, then in the main
panel click Configure API Integration. Select the Enable API
Integration checkbox. In the API Token field, enter the Bearer Token
provided by Ocozzio, prepended with Bearer (the word Bearer, followed by a
single space):
Bearer prefix (including the trailing space) must be included. Entering the
raw token value alone will result in authentication failure. The token value itself is
case-sensitive and must be entered exactly as provided by Ocozzio.
Click Test API Credentials. A success message confirms connectivity and that
the Bearer Token is valid. If authentication fails, verify that the token was entered in the
format Bearer <token>, the Bearer prefix is required, and
that the token value is entered exactly as provided by Ocozzio. If the value appears correct
but the test continues to fail, contact Ocozzio support to confirm the token is active and has
not been rotated or revoked. Click Save once the test passes.
Go to Provisioning → To App under Settings and enable the following features:
- Create Users
- Update User Attributes
- Deactivate Users
Leave Sync Password disabled, authentication is handled exclusively via SAML. Click Save.
3.2 — Configure Group Push
Group push synchronizes Okta group membership to pre-existing groups in the Marketing Center. The Marketing Center owns group definitions, groups cannot be created or deleted via SCIM.
Before proceeding, verify that all groups you intend to sync already exist in the Marketing Center with the exact display names you will use in Okta. Contact your Ocozzio Account Manager if groups need to be created.
Go to Directory → Groups → Add Group and create groups with names that exactly match the Marketing Center group names. Add the appropriate users to each Okta group.
Go to the app's Push Groups tab. Click Push Groups → Find groups by name and search for your group. Under Match result & push action, select Link Group. Select the matching Marketing Center group from the dropdown and click Save.
After saving, the group should appear in the Push Groups list with a status of Active. Okta will immediately push current group membership to the Marketing Center.
3.3 — Assign Users and Groups to the Integration
With SCIM provisioning fully configured, you can now assign users and groups to the integration. Okta will automatically provision accounts in the Marketing Center for each assigned user. As SAML SSO is already configured, users will be able to sign in via the Marketing Center tile in their Okta End-User Dashboard as soon as their account is provisioned.
Go to the Assignments tab of the Marketing Center integration, click Assign, and select Assign to People or Assign to Groups. Assign the appropriate users or groups and click Done.
Okta will immediately attempt to provision each assigned user in the Marketing Center. Go to the Provisioning tab and check the task log to confirm accounts were created successfully. Once provisioned, users will see the Marketing Center tile in their Okta End-User Dashboard and can sign in via SSO.
Attributes & Mapping
User Attributes
The following user attributes are pre-configured in the integration and synced automatically from Okta to the Marketing Center via SCIM. Attribute mappings are pre-configured in the integration and do not require changes.
| SCIM Attribute | Okta Profile Field | Marketing Center Field | Required |
|---|---|---|---|
userName |
user.userName |
LogonName | Required |
name.givenName |
user.firstName |
UserProfileFirstName | Optional |
name.familyName |
user.lastName |
UserProfileLastName | Optional |
displayName |
user.displayName |
UserProfileFullName | Optional |
title |
user.title |
UserProfileTitle | Optional |
emails[primary].value |
user.email |
UserProfileEmailAddress | Optional |
phoneNumbers[primary].value |
user.primaryPhone |
UserProfilePhone | Optional |
addresses[primary].streetAddress |
user.streetAddress |
UserProfileAddress1 / Address2 | Optional |
addresses[primary].locality |
user.city |
UserProfileCity | Optional |
addresses[primary].region |
user.state |
UserProfileState | Optional |
addresses[primary].postalCode |
user.zipCode |
UserProfilePostalCode | Optional |
addresses[primary].country |
user.countryCode |
UserProfileCountry | Optional |
active |
Managed by Okta | IsActive / IsArchived | Auto |
externalId |
Managed by Okta | ExternalIdentityProviderID | Auto |
streetAddress field is split on newline characters into two address lines. Only the primary
address is stored. State and province values are automatically normalized to two-letter abbreviations (US
states and Canadian provinces).
Group Attributes
Groups support only the displayName attribute, which is read-only, it reflects the group
name as defined in the Marketing Center. Group membership is managed exclusively via PATCH operations on
the members attribute. No custom group attributes are supported.
| SCIM Attribute | Notes |
|---|---|
id |
Storefront internal IdentityID — stable, assigned by the Marketing Center. |
displayName |
Read-only. Must match the existing Marketing Center group name exactly. |
members |
Managed via PATCH. Supports add, remove, and replace
operations. |
Troubleshooting
Bearer <token>, the
Bearer prefix (with a trailing space) is required, and entering the raw token value alone
will cause authentication to fail. Also confirm that the token value itself is entered exactly as
provided by Ocozzio, as it is case-sensitive. If the format and value appear correct but the test
continues to fail, contact Ocozzio support to confirm the token is active and has not been rotated
or revoked.POST /Groups because it owns
group definitions. Always use Link Group rather than Create Group when
configuring group push. Contact Ocozzio to verify the group exists in the Marketing Center and that the
display name exactly matches the Okta group name.