okta · janugeethakumari-okta · Oct 14, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
@@ -0,0 +1,66 @@
+{
+  "version": "1.0",
+  "exported_at": 1760073424,
+  "test_usage_90_days": 0,
+  "test_usage_billing_period": 0,
+  "name": "Okta SCIM 2.0 Entitlements Test",
+  "description": "Basic tests to see if your SCIM server's entitlement endpoints work with Okta.",
+  "trigger_url": "https://api.runscope.com/radar/20a66fda-1902-44ca-8c50-9245c152f4e2/trigger",
+  "is_skipped_at_bucket_level": false,
+  "steps": [
+    {
+      "step_type": "request",
+      "skipped": false,
+      "note": "Duplicate the request for multiple Entitlement Endpoints",
+      "method": "GET",
+      "args": {},
+      "data": "",
+      "headers": {},
+      "multipart_form": [],
+      "auth": {},
+      "url": "{{SCIMBaseURL}}{{EntitlementEndpoint}}?count=1&startIndex=1",
+      "assertions": [
+        {
+          "comparison": "equal_number",
+          "source": "response_status",
+          "value": 200
+        },
+        {
+          "comparison": "not_empty",
+          "source": "response_json",
+          "value": null,
+          "property": "Resources"
+        },
+        {
+          "comparison": "has_value",
+          "source": "response_json",
+          "value": "urn:ietf:params:scim:api:messages:2.0:ListResponse",
+          "property": "schemas"
+        },
+        {
+          "comparison": "is_a_number",
+          "source": "response_json",
+          "value": null,
+          "property": "startIndex"
+        },
+        {
+          "comparison": "equal_number",
+          "source": "response_json",
+          "value": "1",
+          "property": "itemsPerPage"
+        },
+        {
+          "comparison": "is_a_number",
+          "source": "response_json",
+          "value": null,
+          "property": "totalResults"
+        }
+      ],
+      "variables": [],
+      "scripts": [],
+      "before_scripts": []
+    }
+  ],
+  "last_run_created_at": null,
+  "step_count": 1
+}
@@ -6,7 +6,7 @@ meta:
 layout: Guides
 ---
 
-Learn how to submit an OIDC, SAML 2.0, SCIM 2.0, or Universal Logout integration to the Okta Integration Network (OIN) using the OIN Wizard.
+Learn how to submit an OIDC, SAML 2.0, SCIM 2.0, Universal Logout, or Entitlement Management integration to the Okta Integration Network (OIN) using the OIN Wizard.
 
 ---
 
@@ -31,6 +31,7 @@ The OIN Wizard is a full-service tool in the Admin Console for you to do the fol
 
   * Test your SSO integration with the OIN Submission Tester.
   * Test your SCIM integration with manual test cases and Runscope test suites.
+  * Test your SCIM-based Entitlement Management manually.
   * Test your Universal Logout integration manually.
 
 * Submit your integration directly to the OIN team when you're satisfied with your test results.
@@ -43,18 +44,21 @@ The OIN team verifies your submitted integration before they publish it in the [
 
 ### Protocols supported
 
-This guide covers submissions that use the following protocols and integration:
+This guide covers submissions that use the following protocols and integrations:
 
 * [OpenID Connect (OIDC)](https://openid.net/connect/)
 
 * [Security Assertion Markup Language (SAML) 2.0](http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html)
 
-* [System for Cross-domain Identity Management (SCIM) 2.0](https://scim.cloud)
+* [System for Cross-domain Identity Management (SCIM) 2.0 Provisioning](https://scim.cloud)
 
-* [Universal Logout](https://developer.okta.com/docs/guides/oin-universal-logout-overview/)
+* [SCIM 2.0 Entitlement Management](/docs/guides/scim-with-entitlements/main/)
+
+* [Universal Logout](/docs/guides/oin-universal-logout-overview/)
 
 > **Notes:**
     > * Universal Logout integrations are only supported for SAML 2.0 and OIDC protocols. If you want to submit a Universal Logout integration with SCIM provisioning, you must also submit an SSO integration with either SAML 2.0 or OIDC.
+    > * Entitlement Management is only supported for SCIM-based provisioning.
     > * SWA app integrations are no longer accepted for publication in the OIN catalog. However, the OIN team still maintains existing SWA apps.
     > * There are protocol-specific limitations on integrations in the OIN. See [OIN limitations](/docs/guides/submit-app-prereq/main/#oin-limitations).
 
@@ -82,7 +86,7 @@ Start your integration submission for OIN publication:
 
 1. Click **Configure your integration**.
 
-### Configure your integration
+### Add integration details
 
 Continue with the OIN Wizard and configure your integration:
 
@@ -99,6 +103,10 @@ Continue with the OIN Wizard and configure your integration:
 
     `*` Required properties
 
+1. Click **Configure your integration**.
+
+### Configure your integration
+
 #### Integration variables
 
 Configure integration variables if your URLs are dynamic for each tenant. The variables are for your customer admins to add their specific tenant values during installation. See [Dynamic properties with Okta Expression Language](#dynamic-properties-with-okta-expression-language).
@@ -130,6 +138,19 @@ Continue with the OIN Wizard and configure your protocol settings:
 
     <StackSnippet snippet="protocol-properties" />
 
+#### SCIM 2.0 entitlement management properties
+
+1. Specify the following properties if you want to integrate Entitlement Management:
+
+    > **Notes:**
+    > * Entitlement Management is only supported for SCIM-based integrations.
+    > * The SCIM entitlement management properties section only displays when you select **Entitlement Management** along with the protocols that your integration supports from the **Identity Lifecycle Management** section.
+
+    <StackSnippet snippet="entitlement-management-properties"/>
+
+1. Click **+ Add another** to add another resource type.
+1. If you need to delete a resource type, click the delete icon (![trash can; delete icon](/img/icons/odyssey/delete.svg)) next to it.
+
 #### Universal logout properties
 
 1. Specify the following properties if you want to integrate Universal Logout:
@@ -190,14 +211,24 @@ Click **Test your integration** to save your test information and begin the inte
 The OIN Wizard journey includes the **Test integration** experience page to help you configure and test your integration within the same org before submission. These are the tasks that you need to complete:
 
 1. [Generate instances for testing](#generate-instances-for-testing). You need to create an app integration instance to test each protocol that your integration supports.
+
     * For an SSO integration, configure SSO and assign test users on the test instance.
     * For a SCIM integration, configure provisioning and map user profile attributes on the test instance.
+    * For SCIM entitlement management integration, manually test this functionality as follows:
+
+        1. Verify that the **Governance Engine** is **Enabled**. To enable it, see [Enable Governance Engine](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/entitlement-mgt.htm?cshid=ext-entitlement-mgt).
+        1. Configure provisioning and update the operations supported by your SCIM server.
+        1. Verify that the resource types or entitlements supported by your SCIM server are listed in the **Governance** tab.
+        1. Map user profile attributes on the test instance.
+        1. Assign the entitlements to the users manually for testing or automatically through a defined policy. For more information, see [Assign entitlements to users](https://help.okta.com/oie/en-us/content/topics/identity-governance/em/assign-entitlements-users.htm).
+
     * For the Universal Logout integration, assign the test user and enable the **Logout** option on the instance. You can use the same instance that you created for SSO integration testing.
 
 1. Test your integration.
    * For an SSO integration, test the required flows in the [OIN Submission Tester](#oin-submission-tester) with your generated test instance. Fix any test failures from the OIN Submission Tester, then regenerate the test instance (if necessary) and retest.
    * For a SCIM integration, execute the [Runscope CRUD tests](#runscope-crud-tests) and the [Okta manual integration tests](#manual-okta-scim-integration-tests) with your generated test instance.
-    * For a Universal Logout integration, test the logout flow manually. See [Test your Universal Logout integration](#test-your-universal-logout-integration).
+   * For SCIM entitlement management integration, execute the [Entitlement Management Runscope tests](#entitlement-management-runscope-tests) and the [Okta manual integration tests](#manual-okta-scim-integration-tests) with your generated test instance
+   * For a Universal Logout integration, test the logout flow manually. See [Test your Universal Logout integration](#test-your-universal-logout-integration).
 
 1. [Submit your integration](#submit-your-integration) after all required tests are successful.
 
@@ -228,7 +259,7 @@ Generate instances for testing in your Integrator Free Plan org directly from th
 Okta recommends that you generate an instance for testing each protocol supported by your integration:
 
 * You must generate separate instances for testing if you support two SSO protocols (one for OIDC and one for SAML). The OIN Submission Tester can only test one protocol at a time.
-* If your SSO integration also supports SCIM, then create one instance for SCIM protocol testing and one instance for each SSO protocol testing.
+* If your SSO integration also supports SCIM and SCIM entitlement management, then create one instance for SCIM protocol and SCIM entitlement management testing and one instance for each SSO protocol testing.
 * For Universal Logout integration, you can use the same instance that you created for SSO protocol testing.
 
 There are certain conditions where you can test two protocols on one instance. You can create one instance for SSO and SCIM testing if your integration meets all of these conditions:
@@ -504,6 +535,10 @@ You need to run three sets of tests for SCIM integrations:
 
     Enter the results URL from these tests in the **Link to Runscope CRUD test results** field when you submit your integration to the OIN.
 
+1. [Entitlement management Runscope tests](#entitlement-management-runscope-tests)
+
+    Enter the results URL from these tests in the **Link to SCIM Entitlement Management Runscope test results** field when you submit your integration to the OIN.
+
 1. [Manual Okta SCIM integration tests](#manual-okta-scim-integration-tests)
 
     You must certify that you've completed these tests when you submit your integration to the OIN.
@@ -563,6 +598,14 @@ When you're satisfied with your Runscope CRUD test results, enter them in the **
 
 1. Paste the test results URL into the **Link to Runscope CRUD test results** field in the OIN Wizard **Test integration** > **SCIM integration testing step** section.
 
+#### Entitlement management Runscope tests
+
+1. Download the [Okta SCIM 2.0 Entitlements Test](/standards/SCIM/SCIMFiles/Okta-SCIM-20-Entitlements-Test.json) file.
+
+    This Entitlement management test file is built for the BlazeMeter Runscope API monitoring tool. If you don't have a Runscope account, you can sign up with a [free trial to Runscope](https://www.runscope.com/okta) for Okta developers.
+
+1. Follow the instructions from step [2](https://developer.okta.com/docs/guides/submit-oin-app/scim/main/#runscope-crud-tests:~:text=for%20Okta%20developers.-,From%20Runscope%2C,-click%20Import%20Test) in the [Runscope CRUD tests](#runscope-crud-tests) section.
+
 #### Manual Okta SCIM integration tests
 
 Execute the test cases in the [Okta SCIM Test Plan](/standards/SCIM/SCIMFiles/okta-scim-test-plan-v2.xlsx). Skip the test cases for the features that your integration doesn't support. All the other supported-feature test cases must pass before you can submit your integration to the OIN.

@@ -0,0 +1,4 @@
+> **Notes**:
+    * Entitlement Management is only supported for SCIM-based integrations.
+    * The SCIM Entitlement Management properties section only displays when you select Entitlement Management along with the protocols that your integration supports from the identity lifecycle management section.
+    * For instructions on configuring Entitlement Management properties, see [Configure Entitlement Management properties](#configure-entitlement-management-properties).
@@ -0,0 +1,4 @@
+> **Notes**:
+    * Entitlement Management is only supported for SCIM-based integrations.
+    * The SCIM Entitlement Management properties section only displays when you select Entitlement Management along with the protocols that your integration supports from the identity lifecycle management section.
+    * For instructions on configuring Entitlement Management properties, see [Configure Entitlement Management properties](#configure-entitlement-management-properties).
@@ -0,0 +1,13 @@
+| Property | Description |
+| --- | --- |
+| Resource type mapping | |
+| Resource type * | The name of the resource type. For example, Role or License. |
+| Endpoint * | Endpoint of the entitlement server. For example, /Roles |
+| Properties | <br><ul> <li>Required - This option makes an entitlement mandatory for user assignment. If an entitlement property is marked as Required, you can’t assign a user to the app without granting at least one entitlement from a category.</li><li>Multi-valued - This option determines if a user can be assigned multiple entitlements from the same category.</li></ul> |
+| Description | Description of the entitlement resource type. |
+| Schema mapping: Allows mapping the custom SCIM properties to the Okta SCIM URN. |  |
+| ID `*`| The attribute or column name for the ID of the entitlement. This appears as the **Value Name** field in the **Governance** tab. For example, `roleId`. |
+| Display Name `*` | The attribute or column name for the display name of the entitlement. This appears as the **Display Name** field in the **Governance** tab. For example, `roleName`. |
+| Description | The attribute or column name for the description of the entitlement. For example, `roleDesc`.  This appears as the **Description** field in the **Governance** tab. |
+
+`*` Required properties