Provisioning in applications
Okta’s provisioning features enable you to manage user accounts automatically, saving time and ensuring that your users' access privileges are up to date.
Provisioning features include the ability to create, read, and update users in Okta accounts for new users, deprovisioning accounts for deactivated users, and synchronizing user attributes across multiple directories.
Provisioning and deprovisioning are bi-directional, so accounts can be created inside an application and imported into Okta or added to Okta and then pushed to required applications.
For a full discussion of provisioning, including concept information and work flows, see Get started with Okta Lifecyle Management.
Advantages of provisioning include
- Account management – Use Okta to create and assign user names, profiles, and permissions and binding your users' accounts to a single corporate user ID and password.
- Importing users – You can import users from Active Directory (AD), LDAP, or certain apps. You can configure Okta to continuously push user profiles to ensure that your system has the latest updates, or do a bulk user import.
- Configuring rules and work flows – You can require specific password rules, synchronize and import groups from applications, and automatically deprovision users in Okta, AD, or LDAP.
- Reports – You can generate reports and audit trails to help you ensure efficient account usage.
For integrations between Okta and cloud applications, Okta supports OAuth 2.0-based authentication and the SCIM standard. If an application supports a lesser known standard such as SPML, Okta can leverage those as well.
Similar to its Single Sign-On (SSO) access features, Okta can set up and connect to these APIs. You configure Okta with credentials for your API user and select the features you want. Everything else is handled by Okta, including continuous automated testing and updates.
Okta provides several provisioning methods:
- AD integration – Okta provides a lightweight, on-premises Active Directory integration to synchronize with your AD configuration. You can set up real-time synchronization and just-in-time (JIT) provisioning to ensure that you always have the latest user profiles and do not have to wait for scheduled imports.
- LDAP integration – Okta provides integration with several popular LDAP vendors using a lightweight agent. The LDAP integration provides real-time synchronization and JIT provisioning, similar to the AD agent.
- HR-driven IT – Okta provides automated provisioning from HR (for example, Workday). This type of provisioning is useful for companies that want to use their HR systems as their main user store. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
All provisioning options are located on the Provisioning tab for apps and the Settings tab for directories. App-specific provisioning guides are accessible from the Okta Provisioning tab in the product.
On-premises applications can also be integrated with Okta to enable provisioning. This can be done in one of two ways: leveraging Active Directory (AD) or using web services to manage user accounts in applications:
- For enterprises that on-board users using a Human Resource Management System (HRMS) like Workday, Okta provisions and deprovisions users into on-premises applications by using AD as a meeting point. You can configure Okta to manage accounts in your AD instance, and Okta will create and update users in AD based on user accounts in Workday. This information can then be used by any on-premises web app that uses AD as its user store.
- Okta supports provisioning and deprovisioning for any on-premises web app that has a web services API that is available to Okta using a publicly addressable connection. Okta makes calls to that app's web service to create new user accounts, update attributes, and deactivate users as needed, based on the user assignment rules configured in Okta.
Okta's deprovisioning features ensure that people who are no longer with your company do not have access to sensitive applications and documentation. Deprovisioning is also important for compliance reasons and to help you maintain an accurate usage count for your applications.
You can deprovision users in Okta or in AD. For supported apps, users are automatically deprovisioned. Admins receive an email describing any apps that require them to manually deprovision users.