Workplace by Facebook
This guide provides the steps required to configure provisioning for Workplace by Facebook.
- Import new users
- Import profile updates
- Import user schema
- Push new users
- Push profile updates
- Push password updates
- Push user deactivation
- Push group
To enable provisioning features, you need to first obtain an Organization ID from Facebook.
After you receive your Organization ID, you can create and configure a Workplace by Facebook application.
- In the Admin Console, go to .
- Click Add Application.
- Search for Workplace by Facebook, and then click Add.
- Under General Settings, enter an Application label, your SubDomain, and Organization ID (see Requirements) values, then click Done.
- Go to the Provisioning tab, then click Configure API Integration.
- Check Enable API integration, then click Authenticate with Workplace by Facebook.
- A new window with your Workplace organization opens. You may be required to enter your Facebook administrator credentials to allow Okta to use the API on your behalf. To do this, click Add to Workplace. Select All groups for the Add Okta Identity to groups option.
- After a series of redirects, your new application is configured. Click Save and close this window with your Facebook org settings.
- When a message appears stating that the Workplace by Facebook was verified successfully, click Save.
- Select To App in the left panel, then select the provisioning features you want to enable, then click Save:
Workplace by Facebook supports User's Schema Discovery, so that you can add extra attributes to a user's profile. To do that in Okta:
In the Admin Console, go to .
- Select the Apps section in the left pane, then find your app in the list.
- Check the list of the attributes. If you don't find what you need, click Add Attribute to display a list of extended attributes.
- Select the attributes that you want to add, and then click Save.
- You're now able to import and push user attribute values from or to Facebook.
By default, when creating or updating a Facebook user, Okta populates the user Location with comma-separated address properties (street, city, state, and so on). If this behavior doesn't fit your needs, you can add a Location field to AppUser through Schema Discovery and map it, similar to the following example:
- Click Refresh Attribute List.
- Find the Location field in the list of attributes.
- Add it to the AppUser profile.
- Set up mapping for the Location field from Okta to Workplace by Facebook.
For example: user.city > location
The Workplace Facebook connector pulls the manager/employee relationship from a single AD domain. If you use provisioning with Okta into Facebook and pull user data from multiple AD domains, Okta can't provision users since these relationships can't be pulled across multiple domains.
Set the manager attribute
Configure mapping for the manager attribute according to the following table (See Okta Expression Language for more details):
|Manager attribute mapping
|Don't push the manager to Workplace by Facebook
|Push the manager only for users from Okta
|Push the manager for users imported from AD
|Push the manager for user from Okta and from AD
|hasDirectoryUser() ? getManagerAppUser("active_directory", "facebook_at_work").userName : user.manager
Adding a confirmed member leads to push group error
Error: The user isn't a member of the parent group.
- Go to Workplace by Facebook account. in your
- Check the Account Status for users in the group. No users should be in a Deactivated state.