Workplace by Facebook

This guide provides the steps required to configure provisioning for Workplace by Facebook.


  • Import new users
  • Import profile updates
  • Import user schema
  • Push new users
  • Push profile updates
  • Push password updates
  • Push user deactivation
  • Push group


To enable provisioning features, you need to first obtain an Organization ID from Facebook.

After you receive your Organization ID, you can create and configure a Workplace by Facebook application.


  1. In the Admin Console, go to ApplicationsApplications.
  2. Click Add Application.
  3. Search for Workplace by Facebook, and then click Add.
  4. Under General Settings, enter an Application label, your SubDomain, and Organization ID (see Requirements) values, then click Done.
  5. Go to the Provisioning tab, then click Configure API Integration.
  6. Check Enable API integration, then click Authenticate with Workplace by Facebook.
  7. A new window with your Workplace organization opens. You may be required to enter your Facebook administrator credentials to allow Okta to use the API on your behalf. To do this, click Add to Workplace. Select All groups for the Add Okta Identity to groups option.
  8. After a series of redirects, your new application is configured. Click Save and close this window with your Facebook org settings.
  9. When a message appears stating that the Workplace by Facebook was verified successfully, click Save.
  10. Select To App in the left panel, then select the provisioning features you want to enable, then click Save:

Schema discovery

Workplace by Facebook supports User's Schema Discovery, so that you can add extra attributes to a user's profile. To do that in Okta:

  1. In the Admin Console, go to DirectoryProfile Editor.

  2. Select the Apps section in the left pane, then find your app in the list.
  3. Check the list of the attributes. If you don't find what you need, click Add Attribute to display a list of extended attributes.
  4. Select the attributes that you want to add, and then click Save.
  5. You're now able to import and push user attribute values from or to Facebook.

Location attribute:

By default, when creating or updating a Facebook user, Okta populates the user Location with comma-separated address properties (street, city, state, and so on). If this behavior doesn't fit your needs, you can add a Location field to AppUser through Schema Discovery and map it, similar to the following example:

  1. Click Refresh Attribute List.
  2. Find the Location field in the list of attributes.
  3. Add it to the AppUser profile.
  4. Set up mapping for the Location field from Okta to Workplace by Facebook.

    For example: > location


The Workplace Facebook connector pulls the manager/employee relationship from a single AD domain. If you use provisioning with Okta into Facebook and pull user data from multiple AD domains, Okta can't provision users since these relationships can't be pulled across multiple domains.


Set the manager attribute

Configure mapping for the manager attribute according to the following table (See Okta Expression Language for more details):

Scenario Manager attribute mapping
Don't push the manager to Workplace by Facebook empty
Push the manager only for users from Okta user.manager
Push the manager for users imported from AD getManagerAppUser("active_directory", "facebook_at_work").userName
Push the manager for user from Okta and from AD hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager

Adding a confirmed member leads to push group error

Error: The user isn't a member of the parent group.

  1. Go to Admin panelPeople in your Workplace by Facebook account.
  2. Check the Account Status for users in the group. No users should be in a Deactivated state.

Group created but no members listed in the admin panel

  1. Go to Admin panelPeople in your Workplace by Facebook account.
  2. Locate your group and click Join as Admin.