Provisioning and Deprovisioning
Provisioning features include the provisioning of accounts for new users, deprovisioning accounts for deactivated users, and synchronizing user attributes across multiple directories. Okta’s provisioning features enable you to manage user accounts automatically within applications. This saves time and ensures that your users' access privileges are up to date. Provisioning and deprovisioning are bi-directional, so accounts can be created inside an application and imported into Okta or added to Okta and then pushed to corresponding applications. Centralization into Okta provides your users with a single access point so they don't have to remember multiple usernames and passwords.
Using provisioning allows for some powerful advantages such as
- Bulk user import (from several sources)
- The ability to natively create, read, and update users in Okta
- Password synchronization / password push (across multiple directories)
Provisioning provides the following primary features:
- Account management – Use Okta to create and assign user names, profiles, and permissions and binding your users' accounts to a single corporate user ID and password.
- Importing users – You can import users from Active Directory (AD), LDAP, or certain apps. You can configure Okta to continuously push user profiles to ensure that your system has the latest updates.
- Configuring rules and workflows – You can require specific passwords, synchronize and import groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from applications, and automatically deprovision users in Okta, AD, or LDAP.
- Reports – You can generate reports and audit trails to help you ensure efficient account usage.
For integrations, Okta supports OAuth 2.0-based authentication and the SCIM standard. If an application supports lesser known standards such as SCIM or SPML, Okta can leverage those as well. Similar to its SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access features, Okta connects to these APIs for you. You can configure Okta with credentials for your API user and select the features you want. Everything else is handled by Okta, including continuous automated testing and updates.
On-premises applications can also be integrated into Okta to enable provisioning. This can be done in one of two ways: leveraging Active Directory (AD) or using web services to manage user accounts in applications:
- For enterprises that on-board users using a Human Resource Management System (HRMS) like Workday, Okta provisions and deprovisions users into on-premises applications by using AD as a meeting point. You can configure Okta to manage accounts in your AD instance, and Okta will create and update users in AD based on user accounts in Workday. This information can then be used by any on-premises web appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that uses AD as its user store.
- Okta supports provisioning and deprovisioning for any on-premises web app that has a web services API that is available to Okta using a publicly addressable connection. Okta makes calls to that app's web service to create new user accounts, update attributes, and deactivate users as needed based on the user assignment rules configured in Okta.
Okta provides several provisioning methods:
- AD integration – Use Okta's lightweight, on-premises Active Directory agent to synchronize with your AD configuration. You can set up real-time synchronization and just-in-time (JIT) provisioning to ensure that you always have the latest user profiles and do not have to wait for scheduled imports.
- LDAP integration – Okta provides integration with several popular LDAP vendors using a lightweight agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Okta's LDAP agent provides real-time synchronization and JIT provisioning, similar to its AD agent.
- HR-driven IT – Okta provides automated provisioning from HR (for example, Workday). This type of provisioning is useful for companies that want to use their HR systems as their main user store. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
All provisioning options are located on the Provisioning tab for apps and the Settings tab for directories.
- From the Okta Dashboard, go to the Applications menu and scroll down to Applications.
- From the Applications page, select the desired app.
- Select the Provisioning tab on the app's page.
- From the Settings column on the left side of the screen, choose from the three possible configurations of Okta provisioning: To App, To Okta, and API Integration.
For details on enabling each option, see Profile Master and User Life Cycle Management below.
Enhanced Provisioning for Specific Apps
App-specific provisioning guides are accessible from the Okta Provisioning tab in the product.
Note: Some third party application APIs can trigger an import of that application's groups to Okta when the API is configured. This is expected behavior.
After provisioning has been enabled, the flow of a user's identity throughout its different stages is known as a user’s life cycle. A profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see the Profile Master page. When users are mastered by attribute, we call this attribute-level mastery (ALM). ALM delivers finer grain control over how profiles are mastered by allowing admins to specify different profile masters for individual attributes. Profile mastering only applies to Okta user profiles, not app user profiles. For more details, see Attribute Level Mastering. can be the "source" app from which users are imported or the target app to which attributes are sent.
There are three possible configurations of Okta provisioning: To App, To Okta, and API Integration, each of which are accessed under Settings on the left of the screen, as shown below.
This screen contains settings for all information that flows from Okta into the app. Not every feature in the following list is available for every app.
- Create Users
- Update User Attributes
- Deactivate Users
- Exclude Username Updates
- Sync Password
- Profile Attribute Mappings
Assigns a new app account to each user managed by Okta. Okta does not create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default.
Updates the profiles of users assigned to that app and syncs those changes to downstream apps. Profile changes made in the app are overwritten with their respective Okta profile values.
Okta automatically deactivates user accounts when they are unassigned in Okta or their Okta accounts are deactivated. Okta also reactivates the app account if it is reassigned to a user in Okta.
Disallows the downstream applicationIn the context of Okta provisioning, a downstream app is one that is receiving data from Okta. profile from overwriting the Okta user profile when using the profile push feature.
Ensures users' app passwords are always the same as their Okta passwords or allows Okta to generate a unique password for the user. For more details, see Using Sync Password.
Use this portion of the page to edit attributes and mappings in the Profile Editor.
This screen contains settings for all information that flows from the app to Okta. Click the adjacent Edit buttons to make changes in the following sections.
- User Creation & Matching
- Profile & Lifestyle Mastering
- Inline Hooks
- Okta Attribute Mappings
Use this section to schedule imports and dictate a username format that Okta will use for imported users. You can also define a percentage of acceptable app assignments before the Import safeguard feature is automatically triggered. If the Okta username is overridden due to mapping from a provisioning-enabled app, the custom mapping appears here.
Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Imported user is an exact match to Okta user if: the match criteria that establishes whether an imported user exactly matches an existing Okta user.
Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
Allow partial matches: Partial matching occurs when the first and last name of an imported user match those of an existing Okta user, but the user’s username and/or email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches are confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
Use this section to allow the current app to profile master Okta users. Once enabled, the app appears in the list of profile masters on the Profile Masters page.
Allow <app> to master Okta users: Determine what happens when a user is deactivated or reactivated in an app.
Remember that only the highest priority profile master for that Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.
When a user is deactivated in the app: Choose to deactivate, suspend, or do nothing. Do nothing prevents activity in the app from controlling the user cycle, but still allows profile master control of attributes and mappings.
When a user is reactivated in the app: Choose whether reactivation in the app applies to suspended or deactivated Okta users. When a user is reactivated in the app, the user profile must be an exact match to the Okta profile for the reactivation to also occur in Okta. Otherwise, after importing the reactivated users, they appear in Pending Activation state.
Use this section to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in profile attributes and control whether imported users are treated as matches for existing users. To enable an import inline hook, see the Inline Hooks page.
Use this portion of the page to edit attributes and mappings in the Profile Editor.
Some apps require a token to authenticate against their API. Click the Authenticate with App Name button to generate a token. You are redirected to the app where you must authenticate to obtain your token.
Okta's deprovisioning features ensure that people who are no longer with your company do not have access to sensitive applications and documentation. Deprovisioning is also important for compliance reasons and to help you maintain an accurate usage count for your applications.
You can deprovision users in Okta or AD. Users are automatically deprovisioned from supported apps. Admins receive an email describing any apps that require them to manually deprovision users.