Provisioning and Deprovisioning
Provisioning features include the provisioning of accounts for new usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control., deprovisioning accounts for deactivated users, and synchronizing user attributes across multiple directories. Okta’s provisioning features enable you to manage user accounts automatically within applications. This saves time and ensures that your users' access privileges are up to date. Provisioning and deprovisioning are bi-directional, so accounts can be created inside an application and imported into Okta or added to Okta and then pushed to corresponding applications. Centralization into Okta provides your users with a single access point so they don't have to remember multiple usernames and passwords.
Using provisioning allows for some powerful advantages such as
- Bulk user import (from several sources)
- The ability to natively create, read, and update users in Okta
- Password synchronization / password push (across multiple directories)
Provisioning provides the following primary features:
- Account management – Use Okta to create and assign user names, profiles, and permissions and binding your users' accounts to a single corporate user ID and password.
- Importing users – You can import users from Active Directory (AD), LDAP, or certain apps. You can configure Okta to continuously push user profiles to ensure that your system has the latest updates.
- Configuring rules and workflows – You can require specific passwords, synchronize and import groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from applications, and automatically deprovision users in Okta, AD, or LDAP.
- Reports – You can generate reports and audit trails to help you ensure efficient account usage.
For integrations, Okta supports OAuth 2.0-based authentication and the SCIM standard. If an application supports lesser known standards such as SCIM or SPML, Okta can leverage those as well. Similar to its SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. access features, Okta connects to these APIs for you. You can configure Okta with credentials for your API user and select the features you want. Everything else is handled by Okta, including continuous automated testing and updates.
On-premises applications can also be integrated into Okta to enable provisioning. This can be done in one of two ways: leveraging Active Directory (AD) or using web services to manage user accounts in applications:
- For enterprises that on-board users using a Human Resource Management System (HRMS) like Workday, Okta provisions and deprovisions users into on-premises applications by using AD as a meeting point. You can configure Okta to manage accounts in your AD instance, and Okta will create and update users in AD based on user accounts in Workday. This information can then be used by any on-premises web appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that uses AD as its user store.
- Okta supports provisioning and deprovisioning for any on-premises web app that has a web services API that is available to Okta using a publicly addressable connection. Okta makes calls to that app's web service to create new user accounts, update attributes, and deactivate users as needed based on the user assignment rules configured in Okta.
Okta provides several provisioning methods:
- AD integration – Use Okta's lightweight, on-premises Active Directory agent to synchronize with your AD configuration. You can set up real-time synchronization and just-in-time (JIT) provisioning to ensure that you always have the latest user profiles and do not have to wait for scheduled imports.
- LDAP integration – Okta provides integration with several popular LDAP vendors using a lightweight agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. Okta's LDAP agent provides real-time synchronization and JIT provisioning, similar to its AD agent.
- HR-driven IT – Okta provides automated provisioning from HR (for example, Workday). This type of provisioning is useful for companies that want to use their HR systems as their main user store. AD becomes a downstream provisioning target. This feature provides ongoing profile synchronization and ensures efficient on-boarding.
All provisioning options are located on the Provisioning tab for apps and the Settings tab for directories.
- From the Okta Dashboard, go to the Applications menu and scroll down to Applications.
- From the Applications page, select the desired app.
- Select the Provisioning tab on the app's page.
- From the Settings column on the left side of the screen, choose from the three possible configurations of Okta provisioning: To App, To Okta, and API Integration.
For details on enabling each option, see Profile Master and User Life Cycle Management below.
Enhanced Provisioning for Specific Apps
We provide some app-specific provisioning guides that are accessible from the Okta Provisioning tab, in product.
After provisioning has been enabled, the flow of a user's identity throughout it's different stages is known as a user’s life cycle. A profile masterA profile master is an application (usually a directory service such as Active Directory, or human capital management system such as Workday) that acts as a source of truth for user profile attributes. A user can only be mastered by a single application or directory at any one time. For more details, see Using the Okta People Page. can be the "source" app from which users are imported or the target app to which attributes are sent.
There are three possible configurations of Okta provisioning: To App, To Okta, and API Integration, each of which are accessed under Settings on the left of the screen, as shown below.
This screen contains settings for all information that flows from Okta into the app. Not every feature in the following list is available for every app.
Assigns a new app account to each user managed by Okta. Okta does not create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default.
Update User Attributes
Okta updates users' profiles when the app is assigned. Profile changes made in the app are overwritten with their respective Okta profile values.
Okta automatically deactivates user accounts when they are unassigned in Okta or their Okta accounts are deactivated. Okta also reactivates the app account if it is reassigned to a user in Okta.
Exclude username updates
Disallows the downstream applicationIn the context of Okta provisioning, a downstream app is one that is receiving data from Okta. profile from overwriting the Okta user profile when using the profile push feature.
Ensures users' app passwords are always the same as their Okta passwords or allows Okta to generate a unique password for the user. For more details, see Sync Password.
Profile Attribute Mappings
Use this portion of the page to edit attributes and mappings in the Profile Editor.
This screen contains settings for all information that flows from the app to Okta. Click the adjacent Edit buttons to make changes in the following sections.
Use this section to schedule imports and dictate a username format that Okta will use for imported users. You can also define a percentage of acceptable app assignments before the Import Safeguard feature is automatically triggered.
If the Okta username is overridden due to mapping from a provisioning-enabled app, the custom mapping appears here.
Matching rules are used in the import of users from all apps and directories that allow importing. Establishing matching criteria allows you to specify how an imported user should be defined as a new user or mapped to an existing Okta user.
Imported user is an exact match to Okta user if: the match criteria that establishes whether an imported user exactly matches an existing Okta user. Choose any combination from the list of options to establish your criteria. For the new imported user to be considered an exact match, each option that you select must be true. Note that if you choose the third option, the first and second choices are disabled.
Allow partial matches: Partial matching occurs when the first and last name of an imported user matches that of an existing Okta user, but the user’s username or/and email address do not.
Confirm matched users: Select to automate the confirmation or activation of existing users. Unchecked, matches are confirmed manually.
Confirm new users: Select to automate the confirmation or activation of a newly imported user. If this option is selected, you can uncheck it during import confirmation. Note that this feature does not apply for users who already exist in Okta.
Use this section to allow the current app to profile master Okta users. Once enabled, the app appears in the list of profile masters on the Profile Masters page.
Click the Allow <app> to master Okta users button to enable mastery and view the following. This section allows you to determine what happens when a user is deactivated in an app: should they be deactivated, suspended or remain an active user is Okta?
In any case, only the highest priority profile master for that Okta user can deactivate or suspend an Okta user. To verify the highest priority profile master, review the Profile Masters page.
When a user is deactivated in the app
Choose Do Nothing to prevent activity in the app from controlling the user life cycle. This still allows profile master control of attributes and mappings. Otherwise, you can choose between deactivating or suspending the user.
When a user is reactivated in the app
- Reactivate suspended users: Allows an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. to choose if a suspended Okta user should be reactivated when they have been reactivated in the app.
- Reactivate deactivated users: Allows an admin to choose if a deactivated Okta user should be reactivated when they have been reactivated in the app.
Okta Attribute Mappings
Use this portion of the page to edit attributes and mappings in the Profile Editor.
Some apps require a token to authenticate against their API. Click the Authenticate with App Name button to generate a token. You are redirected to the app where you must authenticate to obtain your token.
Okta's deprovisioning features ensure that people who are no longer with your company do not have access to sensitive applications and documentation. Deprovisioning is also important for compliance reasons and to help you maintain an accurate usage count for your applications.
You can deprovision users in Okta or AD. Users are automatically deprovisioned from supported apps. Admins receive an email describing any apps that require them to manually deprovision users.