Read this article for instructions on how to sync vaccination approval statuses from third-party systems into Envoy. Data syncing will work if your HCM System is connected to your IdP profiles. Envoy can use vaccination status from the IdP synced via SCIM.
We use custom SCIM extensions in Envoy to control features beyond basic Employee provisioning. You may be familiar with how we use SCIM to set an Employee’s department for use as the Neighborhood in the Desks product. That parameter has first-party support in Azure, and then is implemented as an extension in Envoy’s SCIM system. This document is concerned with the opposite case. The new healthDocumentApproved parameter is a custom extension defined in Envoy’s schema, and this documentation outlines how that parameter is configured and provisioned within Okta and Azure.
Provisioning Custom SCIM Attributes in Azure
Official Tutorial: Tutorial - Customize Azure Active Directory attribute mappings in Application Provisioning
What the tutorial here describes is mostly all you need to do, but with one big gotcha. You must follow this link in order to have the menu options available to add new extension parameters:
Once you have clicked that link while logged in you can then:
Go to EnterpriseApplications → Your SCIM Application → Provisioning
Click on “Edit Attribute Mappings”
Under the Mappings section select the mappings for Users
At the bottom of the page click “Show Advanced Options”
Click “Edit attribute list for Envoy” and this will show you a section where you can add the new
healthDocumentApprovedmapping as aboolean. There is no dropdown menu since Azure does not populate these fields from the schema. Instead you simply type “healthDocumentApproved” in the box.After this you can return to your User mappings and you will be able to add a new mapping referencing this extension as the target attribute
And that’s it! Once your provisioning runs a sync the attribute will be applied to your Employees in Envoy.
Provisioning Custom SCIM Attributes in Okta
Official Documentation:
The Okta documentation here is a little less directed than the Azure one, but the process below is outlined on the link here:
Once you have logged into the Okta admin dashboard:
On the sidebar menu go to Applications section and click on “Applications”
On this page you should have an Envoy app with status “Active”. Click on it.
Within the Envoy app configuration there is a tab titled “Provisioning”, navigate here.
About halfway down the page you will see “Envoy Attribute Mappings”, click on the “Go to Profile Editor” button.
In the Profile Editor you will see a button that says “Add Attribute” click here and a modal will open.
Within the Add Attribute menu set:
Data type: boolean
Display name: Health Document Approved (or any preferred title)
Variable name: leave blank for now
External name: healthDocumentApproved
External namespace: urn:scim:schemas:extension:envoy:protect:1.0:User
Description: Add any text here to help other admins know what this is for
When done click Save
Now back on the Profile Editor click “Mappings”
On the menu titled Envoy User Profile Mappings click “Okta User to Envoy”
At the bottom of the attribute list on the page you should see the newly created healthDocumentApproved attribute. Configure an expression here to map your vaccination status data to the healthDocumentApproved boolean.
Click “Save Mappings” and you are done! Upon the next data sync the data will be set in Envoy.
