Workplace for Facebook

This guide provides the steps required to configure Provisioning for Workplace for Facebook.

Features

  • Import new users
  • Import profile updates
  • Import user schema
  • Push new users
  • Push profile updates
  • Push password updates
  • Push user deactivation
  • Push group

Requirements

To enable Provisioning features, you need to first obtain an Organization ID from Facebook.

After you receive your Organization ID, you can create a new Facebook application, as described below.

Configuration

  1. Go to Okta Admin Console > Applications, then click Add Application.
  2. Search for Workplace for Facebook, then click Add.

  3. Under General Settings, enter an Application label, your SubDomain, and Organization ID (see Requirements) values, then click Done.

  4. Go to the Provisioning tab, then click Configure API Integration.

  5. Check Enable API integration, then click Authenticate with Workplace by Facebook.

  6. A new window with your Workplace organization opens. You may be required to enter your Facebook administrator credentials to allow Okta to use the API on your behalf. To do this, click Add to Workplace. Note that the Add Okta Identity to groups option should be selected as All groups.

  7. After a series of redirects, your new application is configured. Click Save and close this window with your Facebook org settings.

  8. When the Workplace for Facebook was verified successfully message appears, click Save.
  9. Select To App in the left panel, then select the provisioning features you want to enable, then click Save:

Schema discovery

Workplace by Facebook supports User's Schema Discovery, so that you can add extra attributes to a user's profile. To do that in Okta:

  1. Go to Directory > Profile Editor.
  2. Select the APPS section in the left pane, then find your app in the list.
  3. Check the list of the attributes. If you don't find what you need, click Add Attribute to display a list of extended attributes.
  4. Check the attributes you want to add, then click Save.
  5. You are now able to import and push User attributes values from or to Facebook.

Location attribute:

By default, when creating or updating a Facebook user, Okta populates the user Location with comma-separated address properties (street, city, state, etc.). If this behavior doesn’t fit your needs, you can add a Location field to AppUser through Schema Discovery and map it accordingly, as follows:

  1. Click Refresh Attribute List.
  2. Find the Location field in the list of attributes.
  3. Add it to the AppUser profile.
  4. Set up mapping for the Location field from Okta to Workplace by Facebook.

    For example: user.city > location

Limitations

The Workplace Facebook connector can pull the manager/employee relationship from a single AD domain. However, if you use provisioning with Okta into Facebook and pull user data from multiple AD domains, Okta can’t provision users due to the inability to pull these relationships across multiple domains.

Troubleshooting

Set the manager attribute

Configure mapping for the manager attribute according to the table below (See Okta Expression Language for more details):

Scenario Manager attribute mapping
Don’t push the manager to Facebook at Work empty
Push the manager only for users from Okta user.manager
Push the manager for users imported from AD getManagerAppUser("active_directory", "facebook_at_work").userName
Push the manager for user from Okta and from AD hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager

Migration Push Manager to Okta expression language for existing app instances

This is an Early Access feature. To enable it, use the Early Access Feature Manager as described in Manage Early Access and Beta features.

  1. Go to Early Access features and enable Enable Okta Expression Language for manager attribute mapping for Facebook at Work. This feature is only available for existing app instances.
  2. Configure mapping for the manager attribute according to the table below (See Okta Expression Language for more details):
Scenario Manager attribute mapping
Don’t push manager to Facebook at Work empty
Push manager only for users from Okta user.manager
Push manager for users imported from AD getManagerAppUser("active_directory", "facebook_at_work").userName
Push manager for user from Okta and from AD hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager

Adding a confirmed member leads to push group error

Error: The user is not a member of the parent group.

  1. Go to Admin panel > People in your Workplace for Facebook account.
  2. Check the Account Status for users in group. No users should be in a Deactivated state.

Group created but no members listed in the admin panel

  1. Go to Admin panel > People in your Workplace for Facebook account.
  2. Locate your group and click Join as Admin.