Enable Salesforce provisioning

You can upgrade to the latest version of our Salesforce integration that uses OAuth authentication for Provisioning and Imports. This new version is the default version for new orgs. For more information, see Configure OAuth and REST integration.

SOAP/REST integrations: REST functionality creates a complete profile for a user while legacy SOAP user creation is a multi-step process. Therefore all data/data types must be accurate or user profile creation may not take place. Take particular care with attributes for IDs (such as employeeID, managerID, and so forth). See Object Reference for Salesforce and Lightning Platform for more details and troubleshooting.

To allow user and group data to be shared between Okta and Salesforce, you need to configure the provisioning settings.


  • A Salesforce account username and password and the token. In future, if you reset the account password, Salesforce provides you with a new token and you'll need to edit the Salesforce provisioning settings.

  • A custom user profile in Salesforce (needed for both REST and SOAP integrations). Once you have created a custom profile in the Salesforce portal, edit the profile's Administrative Permissions to enable the following:

    • API Enabled.

    • Manage Users: Enabling this option automatically enables the following: Assign Permission Sets, Manage Internal UsersManage IP Addresses, Manage Login Access Policies, Manage Password Policies, Manage Profiles and Permission Sets, Manage Roles, Manage Sharing, Reset User Passwords and Unlock Users, View All Users, View Roles an, Hierarchy, View Setup and Configuration.

    See also Salesforce Create or Clone Profiles documentation.

    Assign the permissions directly to the profile. Don't add the permissions through permission sets.

Configure provisioning

  1. Create an administrator account in Salesforce.
  2. In the Admin Console, go to ApplicationsApplications.

  3. In the search field, enter Salesforce and click Salesforce.com.
  4. Click the Provisioning tab and click Configure API Integration.
  5. Select the Enable API integration check box.
  6. Choose one of the following options, depending on your configuration.

    • Enter your Admin Credentials. Complete the Username and Password + Token fields. Do not add spaces or other characters between the password and token.
      • To avoid breaking the integration when the password is reset, use a dedicated API account for connecting Okta to Salesforce.
      • Do not enable delegated authentication in Salesforce for the API user specified here.
    • If your instance is configured to use OAuth, enter your OAuth Consumer Key and OAuth Consumer Secret, then click Authentication with Salesforce.com. See Configure OAuth and REST integration for more details.
  7. Optional. Select the Allow Pushing Null Values check box to allow null values to be pushed from Salesforce to Okta.

  8. Optional. Click Test API Credentials to test the API integration.
  9. Click Save.
  10. Optional. To edit the Okta to Salesforce provisioning settings, select To App in the SETTINGS list and then click Edit.
  11. Click Save.

  12. Optional. To edit the Salesforce to Okta provisioning settings, select To Okta in the SETTINGS list and then click Edit.

  13. Click Save.
  14. Assign users to Salesforce. See Assign applications to users.