Although Universal Directory (UD) maintains a single source of truth for attributes and users, additional types of mappings can be set in the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab of each provisioning-enabled appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., enhancing the mapping functionality provided in the Profile Editor. Application-based attribute mapping contains the following enhancements:
- Individual mapping – map a single attribute in its own window.
- Support for fixed-list attributes – use a menu or list to map a fixed-list attribute.
- A sample value appears automatically – when you view or make a change to a mapping, the value for the current user displays automatically in the Okta to app direction; the value for the first app user displays automatically in the app to Okta direction.
- Warnings – warnings appear when required fields are not mapped.
- The fields are sorted – required and mapped fields are shown above optional fields that are not mapped.
Access and Use
Application-based attribute mapping provides convenient access from within each app by providing a Force Sync button that immediately applies the mappings, delete and edit buttons for each attribute, and a link to the Profile Editor in case full access is needed.
Attribute mapping appears on the provisioning screen for all provisioning-enabled apps.
- Select Applications from the Dashboard.
- Add or select a provisioning-enabled app.
- Select the Provisioning tab.
- Scroll down to the bottom of the provisioning window to view the Attribute Mappings panel.
There is a link at the bottom of the list to show or hide unmapped attributes, as unmapped attributes are not shown. Required unmapped attributes are still displayed.
The two buttons at the top of the list apply to all attributes.
- Go to Profile Editor opens the standard profile editor for the selected app.
- Force Sync begins synchronization between the app and Okta immediately.
The two icons next to each field apply to that field only.
- The pencil icon opens the edit screen for that attribute.
- The X icon deletes mapping for that attribute.
Attribute Mappings allow 10 data types:
- string: a chain of zero or more unicode characters (letters, digits, and/or punctuation marks)
- number: floating-point decimal in Java's 64-bit Double format.
- boolean: stores true, false, or null data values
- integer: whole numbers in 64-bit Java's Long format
- reference: strings whose values belong within a specific set, defined by the application
- array of string: sequential collection of strings
- array of number: sequential collection of numbers
- array of integer: sequential collection of integers
- array of reference: sequential collection of reference strings
- enum: Defines an enumerated list of values, and supports all data types except boolean. This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, please contact Okta Support.
When defining mappings that use reference or enum data types, ensure that the evaluated values are within the sets defined by the assigned app. Application assignments fail when these values do not match.
When you click the pencil icon within each attribute, the attribute editor appears. There is a choice to either create the mapping, or to create and update it. Note that the mapped value for the attribute below is shown for the current user, but you can change the user to any other user in your orgThe Okta container that represents a real-world organization. for whom the app is assigned.
When assigning apps on the Applications page, you can override these mapped values for individual users; however, once this action is taken, there is no accessible way to recover default values.
Note: For information on recovery from individual overrides, see Attribute Mapping Overrides below.
There are three mapping choices for each attribute shown in the first drop-down field.
- Same value for all users – all users have the value entered into the text field.
- Map from Okta Profile – map this field to a field in the Okta profile selected from the next drop-down list.
- Expression – Use the Okta Expression Language to define the mapping.
Attribute Mapping Overrides
This is an Early Access feature. To enable it, please contact Okta Support.
Attribute overrides for defined mappings can be specified during individual or group assignments, allowing for fine-grained entitlement management if the overridden attributes are used for entitlements. This feature also displays default expressions and simplifies overrides with an Override button.
Revert to a Default Value
It is possible to recover default value information from values that were overridden for an individual user. To do so, simply click the Reset button in the assignments view, as shown below.
View Default Group Expressions
Default expressions are clearly displayed, as shown within a groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. assignment below, but you can easily override this default with the Override button.