Update: The issue mentioned below with Okta to IDCS provisioning is fixed. Now we do not need any proxy between Okta and IDCS. The updated step-by-step instructions can be found here.
In the last few months, I ran into several Oracle SaaS and PaaS customers that use both Okta and Identity Cloud Service for various use cases. While working with those customers, I figured that we did not have automated users/groups provisioning supported by Okta.
As I worked on the integration myself, I figured that there is some incompatibility between Okta and IDCS's SCIM implementation for Group membership management. I came up with a solution to put a proxy between Okta and IDCS to fix the group membership updates to address that issue. For the rest of the API calls, the solution would still act as a proxy pass. It is an entirely stateless proxy, so when the issue is resolved, you can remove the proxy and configure Okta to start provisioning to the IDCS endpoint. A couple of proposed proxy implementation diagrams are as below.
The Identity Cloud Service application is already available in Okta Integration Network. The application takes care of Single Sign-On as well. You still have to add Okta as Identity Provider in IDCS. For more details on Single Sign-On configuration, you can refer to one of my previous blogs. Instead of describing the whole solution here, let me link the document that talks about the proxy solution.