About profile sourcing
A profile source is an application that acts as the source of truth for user identities. Once enabled from the Provisioning tab of the app or directory, it appears in the profile source list on the Profile Sources page. If an external profile source is not identified, Okta is the source for all profiles.
If more than one profile source is listed on the Profile Sources page, you can prioritize them so that user profile attributes can be sourced by different systems, based on their assignments. At any given time, there can only be one profile source for a user's profile.
Profile sources are powerful tools that can help you manage a user's entire life cycle (creation, updates, and deactivation). For example, use Workday as a profile source to send user creation, updates, and termination events from Workday to Okta.
Here are some of the apps and directories that allow profile sourcing:
- Active Directory
- G Suite
- Namely (built by ISV)
Enable Profile Source and Update User Attributes
Enabling Profile Source and Update User Attributes for the same application lets you push Okta to App profile mappings to the highest priority profile source. This is beneficial when you want to sync attributes such as an email address and phone number from downstream applications back to the profile source. However, you may lose data if an app that designated as a profile source can also receive profile updates from Okta.
Before you enable Profile Source and Update User Attributes for the same app, consider the following:
- Unwanted profile pushes - Okta updates can overwrite the values of unmapped attributes in an app, even if that app is the highest priority profile source. For example, if the cn attribute is not mapped from Active Directory to Okta, and you've configured Active Directory for Profile Source and Update User Attributes, - Okta applies default mapping to cn.
- Overwritten IdP-sourced attributes - Okta to app updates can overwrite attributes that are sourced by another identity source. There's no partial push option.
- Race conditions - Okta can overwrite an updated attribute in an identity source before other updates are pushed back to - Okta. For example, consider a scenario in which a user's first name and last name are imported into Okta from a directory, but the user's email address is imported into Okta from an app. If the user's last name changes in the directory before the applicable email address update is made in the app, - Okta could push the new name and the old email address.
Rules for incoming imports
Using a profile source necessitates a clear distinction between new imported users and updates to current Okta users. Okta uses matching rules to maintain a link between the profile source and Okta to prevent conflicts. See User Creation & Matching in Provisioning and Deprovisioning.
Profile sourcing and the user life cycle
The flow of a user's identity throughout the different cycles of access (creation, update, and removal of access to resources) is known as a user’s life cycle. A profile sourcer can determine the beginning or end of this cycle, and is enabled within the provisioning and import space.
A Super Admin can't be deactivated through an import operation.